Overview
CVE-2025-66219 describes a command injection vulnerability affecting versions 0.2.1 and prior of willitmerge, a command-line tool used to check if pull requests are mergeable. This vulnerability allows attackers to execute arbitrary commands on the system by injecting malicious code through user-controlled input passed to the `exec` function. This poses a significant risk to systems where willitmerge is deployed, particularly within CI/CD pipelines or development environments.
Technical Details
The root cause of the vulnerability lies in the insecure usage of the `exec` function within the `willitmerge.js` file. Specifically, the application concatenates user-provided input (either from command-line flags or from the target repository itself) directly into the command string passed to `exec`. This allows an attacker to inject arbitrary commands by crafting malicious input strings. The vulnerable code can be found at the specified location in the GitHub repository.
// Example of vulnerable code (from https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197 - excerpt):
const command = `git --git-dir=${repoPath}/.git fetch origin ${branchName}`;
exec(command, (error, stdout, stderr) => {
// ...
});
An attacker could inject commands into `branchName` or `repoPath` variables.
CVSS Analysis
As of the publication date of this blog post, a CVSS score and severity rating for CVE-2025-66219 are not yet available. However, given the nature of a command injection vulnerability, it is likely to be rated as Critical or High, with a corresponding CVSS score reflecting the high potential for remote code execution and system compromise.
Possible Impact
The impact of CVE-2025-66219 can be severe. An attacker who successfully exploits this vulnerability can:
- Execute arbitrary commands on the server or system where willitmerge is running.
- Gain unauthorized access to sensitive data.
- Modify system configurations.
- Install malware or other malicious software.
- Compromise the integrity of the software development lifecycle.
The risk is particularly high if willitmerge is used within automated CI/CD pipelines, where a successful attack could compromise the entire build and deployment process.
Mitigation or Patch Steps
Currently, no official patch or mitigation is available for CVE-2025-66219. Until a fix is released, the following steps are recommended to mitigate the risk:
- Discontinue use of willitmerge: The most effective way to protect against this vulnerability is to stop using the tool until a patched version is available.
- Input Sanitization (Highly Discouraged as a Sole Mitigation): If you must use willitmerge, implement strict input validation and sanitization on all user-controlled inputs, including command-line arguments and data retrieved from the target repository. However, this is prone to bypass and should be avoided if possible.
- Consider Alternative Tools: Explore alternative tools for checking pull request mergeability that do not suffer from this command injection vulnerability.
- Monitor System Activity: Closely monitor system logs and network traffic for any suspicious activity that might indicate an attempted exploit.
Once a patch is released, it is crucial to update willitmerge to the latest version as soon as possible.
