CVE-2025-59046
📋 TL;DR
CVE-2025-59046 is a command injection vulnerability in the interactive-git-checkout npm package that allows attackers to execute arbitrary commands on systems running vulnerable versions. This affects anyone using interactive-git-checkout version 1.1.4 or earlier, particularly developers and systems administrators who have installed this tool globally.
💻 Affected Systems
- interactive-git-checkout
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Local privilege escalation or execution of arbitrary commands in the context of the user running the vulnerable tool.
If Mitigated
Limited impact if proper input validation and sanitization are implemented, restricting execution to intended git operations only.
🎯 Exploit Status
Exploitation requires user interaction to input malicious branch names. The vulnerability is straightforward to exploit once an attacker can control input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 8dd832dd302af287a61611f4f85e157cd1c6bb41
Vendor Advisory: https://github.com/ninofiliu/interactive-git-checkout/security/advisories/GHSA-4wcm-7hjf-6xw5
Restart Required: No
Instructions:
1. Update interactive-git-checkout to the latest version using: npm update -g interactive-git-checkout
2. Verify the update was successful by checking the version
🔧 Temporary Workarounds
Use git checkout directly
allAvoid using the vulnerable interactive-git-checkout tool and use native git commands instead
git checkout <branch-name>
Uninstall vulnerable package
allRemove the vulnerable package entirely until a patched version is available
npm uninstall -g interactive-git-checkout
🧯 If You Can't Patch
- Restrict usage of interactive-git-checkout to trusted users only
- Implement strict input validation at the organizational level before passing branch names to the tool
🔍 How to Verify
Check if Vulnerable:
Check if interactive-git-checkout is installed and its version: npm list -g interactive-git-checkoutCheck Version:
npm list -g interactive-git-checkout | grep interactive-git-checkoutVerify Fix Applied:
After updating, verify the version is greater than 1.1.4 using: interactive-git-checkout --version📡 Detection & Monitoring
Log Indicators:
- Unusual command execution following git checkout operations
- Suspicious child process spawns from Node.js applications
Network Indicators:
- Unexpected outbound connections from systems running interactive-git-checkout
SIEM Query:
process.name:"node" AND process.args:"interactive-git-checkout" AND process.args:"checkout"