async-git is vulnerable to command injection. An attacker is able to inject malicious OS command to the system shell via the getter
function in the index.js
file.
advisory.checkmarx.net/advisory/CX-2021-4772
github.com/omrilotan/async-git/pull/13
github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a
github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a
github.com/omrilotan/async-git/pull/14
www.npmjs.com/advisories/1614