CVE-2021-44685

CRITICAL

git-it < 4.4.0 - OS Command Injection via Unsanitized Branch Name in Branches Aren't Just For Birds Challenge

Title source: llm
STIX 2.1

Description

Git-it through 4.4.0 allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution).

References (2)

Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/dwisiswant0/advisory/issues/3
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/jlord/git-it-electron/releases

Scores

CVSS v3 9.8
EPSS 0.0347
EPSS Percentile 87.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
git-it_project/git-it < 4.4.0
npm/git-it-electron 0npm
Published Dec 07, 2021
Tracked Since Feb 18, 2026