Arbitrary Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied depName in the packagesToInstall and packagesToUninstall functions of hermit manager. An attacker can execute arbitrary...

Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies

Summary The user-provided string depName in the hermit manager is appended to the ./hermit install and ./hermit uninstall commands without proper sanitization. Details Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick...

EUVD-2026-2095

Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies...

GHSA-36J9-MX87-2CFF Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies

Summary The user-provided string depName in the hermit manager is appended to the ./hermit install and ./hermit uninstall commands without proper sanitization. Details Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick...