check-branches

CRITICAL (9.8)
cwe-78check-branchescommand-injectionnodejsnpmvulnerability

Threat Intelligence

Low Risk
EPSS Score: 0.12% chance of exploitation (percentile: 32%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

check-branches is a command-line tool used to confirm no conflicts exist in Git branches. It's interacted with locally, or via CI, to ensure branch integrity. This vulnerability allows attackers to execute arbitrary commands on the system by manipulating branch names.

Am I affected?

You're affected if you use All versions of the. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

Affected Packages

npm: check-branches

How to fix

Concrete steps:

  • Upgrade to check-branches version 2.0.0 or later from npm (https://www.npmjs.com/package/check-branches)
  • Immediately apply a mitigating patch by modifying the branch-name regex to prevent command injection: npm run patch
  • Restrict network access to your system and monitor for suspicious activity

References