CVE-2024-21532

Name of the Vulnerable Software and Affected Versions ggit versions all

Description The issue concerns Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched. This input is then concatenated with a git command and passed to the unsafe exec() Node.js child process API.

Recommendations For all versions, consider disabling the fetchTags(branch) API until a patch is available to prevent exploitation. Restrict access to the exec() function to minimize the risk of Command Injection. Avoid using user-inputted data in the branch variable to prevent malicious commands from being executed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.