CVE-2025-59831
HIGHgit-commiters < 0.1.2 - OS Command Injection via Unsanitized Options
Title source: llmDescription
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/snowyu/git-commiters.js/security/advisories/GHSA-g38c-wxjf-xrh6
Scores
CVSS v3
8.8
EPSS
0.0013
EPSS Percentile
32.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
CWE-77
Status
published
Products (2)
npm/git-commiters
0 - 0.1.2npm
riceball/git-commiters
< 0.1.2
Published
Sep 25, 2025
Tracked Since
Feb 18, 2026