Lucene search
K

17 matches found

Github Security Blog
Github Security Blog
added 6 days ago6 views

pnpm: Git Fetch Argument Injection via Lockfile resolution.commit

Summary pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git option such as...

7.3CVSS6AI score0.0018EPSS
Exploits1References3Affected Software1
NVD
NVD
added last week8 views

CVE-2026-50014

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected...

7.3CVSS0.0018EPSS
Exploits1References1
CVE
CVE
added last week15 views

CVE-2026-50014

Summary: CVE-2026-50014 affects pnpm prior to 10.34.0 and 11.4.0. The lockfile-controlled git resolution.commit value is passed to git fetch without a separator or commit-format validation, enabling a malicious lockfile to inject git options (notably --upload-pack) in shallow-fetch paths. This ca...

7.3CVSS5.9AI score0.0018EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added last week28 views

CVE-2026-50014 pnpm: Git Fetch Argument Injection via Lockfile resolution.commit

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected...

6.4CVSS0.0018EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.6 views

PT-2026-52513

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description pnpm passes the git resolution.commit value from the lockfile to the git fetch command without using a -- separator or performing commit-format validation. When git...

6.4CVSS5.9AI score0.0018EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2025/12/04 12:50 p.m.3 views

kernel: vsock: Fix transport_* TOCTOU

In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport TOCTOU Transport assignment may race with module unload. Protect newtransport from becoming a stale pointer. This also takes care of an insecure call in vsockuselocaltransport; add a lockdep assert. BUG: unab...

4.7CVSS5.7AI score0.00113EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2025/09/25 12:40 a.m.5 views

kernel: vsock: Fix transport_* TOCTOU

In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport TOCTOU Transport assignment may race with module unload. Protect newtransport from becoming a stale pointer. This also takes care of an insecure call in vsockuselocaltransport; add a lockdep assert. BUG: unab...

4.7CVSS6.8AI score0.00113EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2025/09/02 6:55 a.m.5 views

kernel: vsock: Fix transport_* TOCTOU

In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport TOCTOU Transport assignment may race with module unload. Protect newtransport from becoming a stale pointer. This also takes care of an insecure call in vsockuselocaltransport; add a lockdep assert. BUG: unab...

4.7CVSS6.8AI score0.00113EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2024/01/25 8:1 a.m.2 views

git: data exfiltration with maliciously crafted repository

A vulnerability was found in Git. Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GITDIR/objects directory contains symbolic links CVE-2022-39253, the objects...

5.5CVSS7.2AI score0.01336EPSS
Exploits1References6
OpenVAS
OpenVAS
added 2023/07/25 12:0 a.m.25 views

Huawei EulerOS: Security Advisory for git (EulerOS-SA-2023-2424)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

9.8CVSS8.4AI score0.56334EPSS
Exploits4References2
RedHat Linux
RedHat Linux
added 2023/05/22 7:11 a.m.38 views

git: data exfiltration with maliciously crafted repository

A vulnerability was found in Git. Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GITDIR/objects directory contains symbolic links CVE-2022-39253, the objects...

5.5CVSS7.2AI score0.0071EPSS
Exploits0References6
OpenVAS
OpenVAS
added 2023/03/28 12:0 a.m.24 views

Mageia: Security Advisory (MGASA-2023-0066)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

7.5CVSS6.9AI score0.01144EPSS
Exploits3References5
Tenable Nessus
Tenable Nessus
added 2023/02/21 12:0 a.m.41 views

FreeBSD : git -- Local clone-based data exfiltration with non-local transports (9548d6ed-b1da-11ed-b0f4-002590f2a714)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 9548d6ed-b1da-11ed-b0f4-002590f2a714 advisory. - Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2,...

5.5CVSS7.1AI score0.01336EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2023/02/17 3:59 p.m.80 views

CVE-2023-22490

A vulnerability was found in Git. Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GITDIR/objects directory contains symbolic links CVE-2022-39253, the objects...

5.5CVSS6.4AI score0.01336EPSS
Exploits1References5
Debian CVE
Debian CVE
added 2023/02/14 7:47 p.m.52 views

CVE-2023-22490

Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort loca...

5.5CVSS6.4AI score0.0071EPSS
Exploits0
OSV
OSV
added 2023/02/14 6:37 p.m.13 views

USN-5871-1 git vulnerabilities

It was discovered that Git incorrectly handled certain repositories. An attacker could use this issue to make Git uses its local clone optimization even when using a non-local transport. CVE-2023-22490 Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could...

7.5CVSS6.8AI score0.01144EPSS
Exploits3References3
FreeBSD
FreeBSD
added 2023/02/14 12:0 a.m.46 views

git -- Local clone-based data exfiltration with non-local transports

git team reports: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GITDIR/objects directory contains symbolic links c.f., CVE-2022-39253, the objects directory...

5.5CVSS6.9AI score0.0071EPSS
Exploits0References1
Rows per page
Query Builder