CVE-2023-26134 – CVE-2023-26134 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-26134?

CVE-2023-26134 has a CVSS score of 9.8 (CRITICAL). CVE-2023-26134 is a command injection vulnerability in the git-commit-info npm package where the gitCommitInfo() method fails to sanitize user-controlled commit hash parameters, allowing attackers to execute arbitrary commands. This affects applications using vulnerable versions of git-commit-info that pass untrusted input to the gitCommitInfo() function. The vulnerability has a CVSS score of 9.8 due to its potential for remote code execution.

📋 TL;DR

CVE-2023-26134 is a command injection vulnerability in the git-commit-info npm package where the gitCommitInfo() method fails to sanitize user-controlled commit hash parameters, allowing attackers to execute arbitrary commands. This affects applications using vulnerable versions of git-commit-info that pass untrusted input to the gitCommitInfo() function. The vulnerability has a CVSS score of 9.8 due to its potential for remote code execution.

💻 Affected Systems

Products:

git-commit-info npm package

Versions: All versions before 2.0.2

Operating Systems: All platforms where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when the gitCommitInfo() method is called with user-controlled input for the commit parameter.

📦 What is this software?

Git Commit Info by Git Commit Info Project

View all CVEs affecting Git Commit Info →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application process, potentially leading to complete system compromise, data theft, or lateral movement within the network.

🟠

Likely Case

Command execution in the context of the application, allowing file system access, data exfiltration, or deployment of malware.

🟢

If Mitigated

No impact if input validation or proper sanitization is implemented, or if the vulnerable function isn't exposed to untrusted input.

🌐 Internet-Facing: HIGH if the vulnerable function is exposed to external users via web interfaces or APIs.

🏢 Internal Only: MEDIUM if only internal users can access the vulnerable function, but could still lead to privilege escalation or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward once an attacker controls the commit hash parameter passed to gitCommitInfo().

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.2

Vendor Advisory: https://github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18c

Restart Required: Yes

Instructions:

1. Update package.json to specify git-commit-info version 2.0.2 or higher. 2. Run 'npm update git-commit-info' or 'yarn upgrade git-commit-info'. 3. Restart the application to load the patched version.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement strict input validation for the commit parameter before passing to gitCommitInfo()

// Validate commit hash is exactly 40 hex characters
if (!/^[0-9a-f]{40}$/.test(commit)) {
  throw new Error('Invalid commit hash');
}

Environment isolation

linux

Run the application with minimal privileges and in a restricted container/sandbox

docker run --read-only --cap-drop=ALL -u nobody node-app

🧯 If You Can't Patch

Remove or disable functionality that calls gitCommitInfo() with untrusted input
Implement network segmentation to isolate vulnerable systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/git-commit-info/package.json for version <2.0.2

Check Version:

npm list git-commit-info | grep git-commit-info

Verify Fix Applied:

Verify installed version is 2.0.2 or higher using 'npm list git-commit-info'

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in application logs
Git commands with unexpected arguments or shell metacharacters

Network Indicators:

Outbound connections from the application to unexpected destinations following git operations

SIEM Query:

process.name:node AND cmdline:*git* AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|* OR cmdline:*`*)

📊 Metadata

CVE ID: CVE-2023-26134

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: June 28, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18c Patch
https://github.com/JPeer264/node-git-commit-info/issues/24 Exploit,Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-GITCOMMITINFO-5740174 Exploit,Third Party Advisory
https://github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18c Patch
https://github.com/JPeer264/node-git-commit-info/issues/24 Exploit,Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-GITCOMMITINFO-5740174 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26134, you might also want to check these: