willitmerge Command Injection

CRITICAL (9.8) No Patch (20 days)
command-injectioncwe-77moderate-risknpmsecurity-vulnerabilitywillitmerge

Threat Intelligence

Low Risk
EPSS Score: 1.11% chance of exploitation (percentile: 78%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

willitmerge is a command line tool used to check if pull requests are mergeable. It's designed for developers to quickly assess the mergeability of their code changes. However, due to its use of insecure child process execution API (exec), willitmerge is vulnerable to command injection attacks. This means an attacker can inject malicious commands, potentially leading to unauthorized access or data manipulation.

Am I affected?

You're affected if you use willitmerge version 0.2.1 or prior. To check if your installation is vulnerable, run the following command:

npm ls willitmerge

This will show you the installed version of willitmerge and its dependencies. If you don't recognize the name "willitmerge," you're probably not affected.

Version info: Affected versions are all versions prior to 0.2.1.

Affected Packages

npm: willitmerge

Affected Products

shama / willitmerge

How to fix

To fix this vulnerability, upgrade to a patched version. Unfortunately, there's no public patch link available in the advisory. Immediate mitigations include:

  • Restrict network access to your willitmerge instance (firewall it from the public internet)
  • Audit admin account activity for suspicious access patterns
  • Monitor for unauthorized token creation

You can find more information on how to fix this vulnerability by checking the vendor's GitHub page: https://github.com/shama/willitmerge.

References