Description
Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-9mm9-rqhj-j5mx | repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection |
References
History
Wed, 15 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1. | |
| Title | Repomix: Command Injection (RCE) via `--remote-branch` Argument Injection | |
| Weaknesses | CWE-88 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T19:40:40.723Z
Reserved: 2026-06-02T18:30:51.282Z
Link: CVE-2026-49987
Updated: 2026-07-15T19:40:37.233Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Github GHSA