CVE-2021-23632

CVE-2021-23632 is a medium-severity vulnerability in Git Project Git with a CVSS 3.x base score of 6.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-78.

Key facts

Description

All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work.

Frequently asked questions

What is CVE-2021-23632?
All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work.
How severe is CVE-2021-23632?
CVE-2021-23632 has a CVSS 3.x base score of 6.6, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-23632 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (80th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-23632?
CVE-2021-23632 affects Git Project Git. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-23632?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2021-23632 published?
CVE-2021-23632 was published on 2022-03-17 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Git Project Git

All CVEs affecting Git Project Git →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →