CVE-2024-21532
📋 TL;DR
CVE-2024-21532 is a command injection vulnerability in the ggit npm package that allows attackers to execute arbitrary commands on the host system. The vulnerability exists in the fetchTags(branch) API where user-controlled branch names are passed directly to exec() without proper sanitization. All users of the ggit package are affected.
💻 Affected Systems
- ggit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Limited command execution within the application's context, potentially leading to data theft, service disruption, or privilege escalation.
If Mitigated
No impact if input validation prevents malicious branch names or if the vulnerable function isn't exposed to untrusted users.
🎯 Exploit Status
Exploitation is straightforward - attackers can inject shell commands via branch parameter. Public proof-of-concept demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://security.snyk.io/vuln/SNYK-JS-GGIT-5731320
Restart Required: No
Instructions:
No official patch available. Consider removing ggit dependency or implementing strict input validation.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict validation of branch names before passing to fetchTags(). Reject any input containing shell metacharacters.
// JavaScript example: validate branch name
const isValidBranch = /^[a-zA-Z0-9\-\_\/\.]+$/.test(branchName);
if (!isValidBranch) throw new Error('Invalid branch name');
Use Safe Child Process Methods
allReplace exec() with execFile() or spawn() with proper argument handling to prevent command injection.
// Replace: exec(`git fetch --tags ${branch}`)
// With: execFile('git', ['fetch', '--tags', branch])
🧯 If You Can't Patch
- Remove or disable functionality using fetchTags() with user input
- Implement network segmentation and restrict outbound connections from affected systems
🔍 How to Verify
Check if Vulnerable:
Check if your application uses ggit package and calls fetchTags() with user-controlled input. Review code for exec() calls with unsanitized user input.Check Version:
npm list ggitVerify Fix Applied:
Test that branch names containing shell metacharacters (; & | $ `) are rejected or properly escaped before reaching exec().📡 Detection & Monitoring
Log Indicators:
- Unusual git commands in application logs
- Process execution with unexpected arguments
- Failed git operations with malformed branch names
Network Indicators:
- Unexpected outbound connections from Node.js processes
- DNS requests for suspicious domains following git operations
SIEM Query:
process.name:node AND cmdline:*git* AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|* OR cmdline:*`*)