Description
Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Versions of the degit package prior to 2.8.6 and pre‑3.3.1 allow an attacker to inject shell commands because user supplied repository names are concatenated into git commands executed via exec(). This flaw can result in arbitrary OS command execution as the process user, providing remote code execution capability.

Affected Systems

All projects using degit v2.x before 2.8.6 or v3.x releases before 3.3.1 are affected, including tooling that scaffolds or copies projects from Git repositories through the module. These dependencies include both direct usage and transitive dependencies in Node.js ecosystems.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score of 0.00069 suggests a very low probability of exploitation, and the vulnerability is not listed in CISA KEV. The likely vector is an attacker supplying a crafted repository name to degit during its operation, which may occur locally or remotely when deploying or building a project.

Generated by OpenCVE AI on June 9, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade degit to 2.8.6 or later, or to 3.3.1 or later, applying the fix commits.
  • Check dependency lock files or package.json and update any transitive dependencies that depend on the vulnerable degit version.
  • If an upgrade cannot be performed immediately, sanitize or validate any user‑supplied repository name before passing it to degit, or replace degit with a safer alternative that does not invoke git commands unsafely.

Generated by OpenCVE AI on June 9, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in degit Package

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Rich-harris
Rich-harris degit
Vendors & Products Rich-harris
Rich-harris degit

Tue, 09 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rich-harris Degit
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-06-09T13:14:04.550Z

Reserved: 2026-06-08T09:46:19.583Z

Link: CVE-2026-11572

cve-icon Vulnrichment

Updated: 2026-06-09T13:13:59.286Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T06:16:53.000

Modified: 2026-06-09T14:16:34.570

Link: CVE-2026-11572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T16:30:08Z

Weaknesses