CVE-2022-25865: Improper Neutralization of Special Elements used in a Command ('Command Injection')

May 14, 2022 (updated May 25, 2022)

The package workspace-tools before 0.18.4 is vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

References

github.com/advisories/GHSA-5875-m6jq-vf78
github.com/microsoft/workspace-tools/commit/9bc7e65ce497f87e1f363fd47b8f802f3d3cd978
github.com/microsoft/workspace-tools/pull/103
nvd.nist.gov/vuln/detail/CVE-2022-25865
snyk.io/vuln/SNYK-JS-WORKSPACETOOLS-2421201

Code Behaviors & Features

Detect and mitigate CVE-2022-25865 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →