CVE-2021-3190 — OS Command Injection in async-git

Description

The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. Ensure to sanitize untrusted user input before passing it to one of the vulnerable functions as a workaround or update async-git to version 1.13.1.

How to fix CVE-2021-3190

To remediate CVE-2021-3190, upgrade the affected package to a fixed version below.

—upgrade to 1.13.2 or later

Is CVE-2021-3190 being exploited?

Moderate — EPSS is 20.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.13.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3190
PATCHgithub.com/omrilotan/async-git
WEBadvisory.checkmarx.net/advisory/CX-2021-4772
WEBgithub.com/omrilotan/async-git/pull/13
WEB