CVE-2022-25766

Name of the Vulnerable Software and Affected Versions ungit versions prior to 1.5.20

Description The issue occurs when calling the "/api/fetch" endpoint, where user-controlled values (remote and ref) are passed to the git fetch command. By injecting some git options, it is possible to get arbitrary command execution, leading to Remote Code Execution (RCE) via argument injection.

Recommendations For versions prior to 1.5.20, update to version 1.5.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/fetch" endpoint or disabling the git fetch command until a patch is available. Avoid using user-controlled values for the remote and ref parameters in the affected API endpoint until the issue is resolved.