CVE-2022-25866

Name of the Vulnerable Software and Affected Versions czproject/git-php versions prior to 4.0.3

Description The issue allows for Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set, which can be used to perform a command injection.

Recommendations For versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider restricting the input for the url and refs parameters in the isRemoteUrlReadable($url, array $refs = NULL) function to prevent command injection.