Login Sign Up

CVE-2018-25083

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the pullit Node.js package allows attackers to execute arbitrary operating system commands by injecting malicious code into Git branch names. It affects any application using vulnerable versions of pullit that processes untrusted branch names. The eval() function on user-supplied input enables complete system compromise.

💻 Affected Systems

Products:
  • pullit
Versions: All versions before 1.4.0
Operating Systems: All platforms where Node.js runs
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using pullit with user-controlled branch names is vulnerable.

📦 What is this software?

Pull It by Pull It Project

View all CVEs affecting Pull It →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining shell access, installing malware, stealing data, and pivoting to other systems.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing prevent command execution.

🌐 Internet-Facing: HIGH - Applications accepting external Git branch names are directly exploitable.
🏢 Internal Only: MEDIUM - Internal systems using pullit with controlled inputs have reduced but still significant risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple command injection via branch name parameter; trivial to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0

Vendor Advisory: https://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb

Restart Required: Yes

Instructions:

1. Update package.json to require pullit version 1.4.0 or higher. 2. Run 'npm update pullit' or 'yarn upgrade pullit'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation on branch names before passing to pullit.

// JavaScript example: if (!/^[a-zA-Z0-9\-_\/]+$/.test(branchName)) throw new Error('Invalid branch name');

Remove pullit Dependency

all

Replace pullit with alternative Git operations library.

npm uninstall pullit
yarn remove pullit

🧯 If You Can't Patch

  • Network segmentation to isolate systems using pullit from critical infrastructure.
  • Implement strict egress filtering to prevent command-and-control communication.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list pullit' to see if version is below 1.4.0.

Check Version:

npm list pullit | grep pullit

Verify Fix Applied:

Confirm pullit version is 1.4.0 or higher with 'npm list pullit' and test with safe branch names.

📡 Detection & Monitoring

Log Indicators:

  • Unusual child process spawns from Node.js
  • Suspicious Git operations with special characters in branch names

Network Indicators:

  • Outbound connections from Node.js processes to unexpected destinations

SIEM Query:

process.name:node AND process.args:*eval* AND process.args:*git*

📊 Metadata

CVE ID: CVE-2018-25083
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: March 27, 2023
Last Updated: February 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-25083, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)