Description

willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.

INFO

Published Date :

2025-11-29T01:34:33.487Z

Last Modified :

2025-12-01T19:15:03.332Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66219 vulnerability.

Vendors Products
Dontkry
  • Willitmerge
Willitmerge Project
  • Willitmerge
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66219.

URL Resource
https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197 cve-icon cve-icon
https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact