Description

willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.

Related CPE's

a

dontkry

willitmerge

*

*

*

*

*

node.js

Vulnerable

References

https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197

Product

https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6

ExploitVendor Advisory

https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6

ExploitVendor Advisory

Weaknesses

[email protected]

Secondary
CWE-77

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2025-11-29T02:15:52.577

2 weeks ago

Last modified

2025-12-19T15:52:58.037

3 hours ago