Omri Lotan

Name of the Vulnerable Software and Affected Versions: async-git versions prior to 1.13.2 Description: The issue concerns Command Injection via shell meta-characters, specifically back-ticks. This can be exploited, for example, through the `git.reset()` function with a malicious input like `git.reset('atouch HACKEDb')`. The `git.reset()` function is vulnerable to shell meta-characters, allowing an attacker to inject commands. Recommendations: For versions prior to 1.13.2, update to version 1.13.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `git.reset()` function with untrusted input until a patch is applied.