CVE-2024-21532 HIGH

CVE-2024-21532

Vendor N/A
Product ggit
Weakness CWE-78
Published October 8, 2024
Last update March 21, 2026

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

What the vulnerability does

01Description

All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

Key dates

02Disclosure timeline

October 8, 2024 CVE published
March 21, 2026 Record updated