Description

All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions which can be abused: 1. It trusts branch names as they are (plain text) 2. It spawns git commands by concatenating user input Since a branch name is potentially a user input - as users can create branches remotely via pull requests, or simply due to privileged access to a repository - it can effectively be abused to run any command.

INFO

Published Date :

2025-09-30T05:00:06.332Z

Last Modified :

2025-09-30T19:06:21.373Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2025-11148 vulnerability.

Vendors Products
Check-branches Project
  • Check-branches
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-11148.

URL Resource
https://gist.github.com/lirantal/054b4ad039a86c418f2c84e3e884d6ec cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-JS-CHECKBRANCHES-2766494 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact