CVE-2024-21533

MEDIUM

ggit - Command Injection

Title source: llm

Description

All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

Exploits (1)

nomisec WORKING POC

by lirantal · poc

https://github.com/lirantal/CVE-2024-21533-PoC-ggit

View Code ZIP pw:eip

References (3)

[Various Sources] https://gist.github.com/lirantal/80c6d59ac1b682a32bc9d2ff92044bb9

[Third Party Advisory] https://github.com/bahmutov/ggit/blob/2e85b0316d9c272e067dca5679d39e302f4cb9cd/README.md?plain=1#L3

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-GGIT-5731319

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-88

Status published

Products (2)

n/a/ggit

npm/ggit 0npm

Published Oct 08, 2024

Tracked Since Feb 18, 2026