CVE-2023-26143

Name of the Vulnerable Software and Affected Versions blamer versions prior to 1.0.4

Description The issue is related to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

Recommendations For versions prior to 1.0.4, update to version 1.0.4 or later to resolve the issue. As a temporary workaround, consider disabling the blameByFile() API until a patch is available. Restrict access to the blameByFile() function to minimize the risk of exploitation. Avoid using unsanitized user input in the affected API until the issue is resolved.