CVE-2022-25866

HIGH

czproject/git-php < 4.0.3 - Command Injection via git ls-remote Argument Injection

Title source: llm

Description

The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

References (3)

Core 3

Core References

Exploit, Patch, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-PHP-CZPROJECTGITPHP-2421349

Patch, Third Party Advisory x_refsource_misc

https://github.com/czproject/git-php/commit/5e82d5479da5f16d37a915de4ec55e1ac78de733

View Patch ZIP pw:eip

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/czproject/git-php/releases/tag/v4.0.3

Scores

CVSS v3 8.1

EPSS 0.0383

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-88

Status published

Products (2)

czproject/git-php 0 - 4.0.3Packagist

git-php_project/git-php < 4.0.3

Published Apr 25, 2022

Tracked Since Feb 18, 2026