Login Sign Up

CVE-2025-66219

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2025-66219 is a command injection vulnerability in willitmerge, a command-line tool for checking pull request mergeability. Attackers can execute arbitrary commands on systems running vulnerable versions by injecting malicious input through command-line flags or repository content. This affects anyone using willitmerge versions 0.2.1 and earlier.

💻 Affected Systems

Products:
  • willitmerge
Versions: 0.2.1 and prior
Operating Systems: All platforms where Node.js runs
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when processing user-controlled input from command-line flags or repository content.

📦 What is this software?

Willitmerge by Dontkry

View all CVEs affecting Willitmerge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing remote code execution, data theft, lateral movement, and complete control of the affected system.

🟠

Likely Case

Arbitrary command execution in the context of the willitmerge process, potentially leading to data exposure, system modification, or further exploitation.

🟢

If Mitigated

Limited impact if proper input validation and security controls prevent command injection attempts.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to run willitmerge with malicious input, but no authentication is needed once the tool is invoked.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6

Restart Required: No

Instructions:

No official patch available. Monitor the GitHub advisory for updates and apply any future patches immediately.

🔧 Temporary Workarounds

Discontinue use of willitmerge

all

Stop using willitmerge until a patched version is available. Use alternative tools for checking pull request mergeability.

Restrict input sources

all

Only run willitmerge with trusted, validated input sources. Avoid using command-line flags with user-controlled data.

🧯 If You Can't Patch

  • Remove willitmerge from all systems and use alternative tools
  • Implement strict input validation and sanitization for any data passed to willitmerge

🔍 How to Verify

Check if Vulnerable:

Check willitmerge version using 'npm list -g willitmerge' or check package.json. If version is 0.2.1 or earlier, the system is vulnerable.

Check Version:

npm list -g willitmerge | grep willitmerge

Verify Fix Applied:

Once a patch is available, update to the patched version and verify the version number is above 0.2.1.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns from willitmerge process
  • Suspicious child process creation by willitmerge

Network Indicators:

  • Unexpected outbound connections from systems running willitmerge

SIEM Query:

process.name:"node" AND process.args:"willitmerge" AND process.parent.name:"willitmerge"

📊 Metadata

CVE ID: CVE-2025-66219
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 0.25% exploit probability (48.2th percentile)
Published: November 29, 2025
Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66219, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)