CVE-2024-21532 Information

Description

All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

Reference

https://security.snyk.io/vuln/SNYK-JS-GGIT-5731320 https://gist.github.com/lirantal/d8f87b366d2078e6118ab7bf2b005f02