CVE-2025-59046
Published: 09 September 2025
Summary
CVE-2025-59046 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation and sanitization of user inputs like branch names before passing to system commands such as git checkout via exec().
Prevents installation and execution of vulnerable user-installed software like the global npm package interactive-git-checkout versions <=1.1.4.
Ensures timely flaw remediation by updating the vulnerable package to the fixed version beyond 1.1.4 as detailed in the commit 8dd832dd302af287a61611f4f85e157cd1c6bb41.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via unsanitized input to shell-executing Node.js child_process.exec() directly enables arbitrary Unix shell command execution.
NVD Description
The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via `npm…
more
install -g interactive-git-checkout`. Versions up to and including 1.1.4 of the `interactive-git-checkout` tool are vulnerable to a command injection vulnerability because the software passes the branch name to the `git checkout` command using the Node.js child process module's `exec()` function without proper input validation or sanitization. Commit 8dd832dd302af287a61611f4f85e157cd1c6bb41 fixes the issue.
Deeper analysisAI
CVE-2025-59046 is a command injection vulnerability (CWE-77) affecting the npm package `interactive-git-checkout`, an interactive command-line tool for checking out Git branches by prompting users for the branch name. Versions up to and including 1.1.4 are vulnerable because the tool passes the user-provided branch name directly to the `git checkout` command via Node.js's child process `exec()` function without input validation or sanitization. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high-impact confidentiality, integrity, and availability effects.
An attacker can exploit this vulnerability by supplying a malicious branch name containing command injection payloads, such as shell metacharacters, when the tool prompts for input during execution. Exploitation requires a victim to install and run the vulnerable tool globally via `npm install -g interactive-git-checkout` and then enter the crafted input. Given the network vector in the CVSS score and lack of privileges or user interaction requirements beyond the prompt, remote attackers could leverage social engineering or integration in automated scripts to achieve arbitrary command execution on the victim's system, potentially leading to full compromise.
The GitHub security advisory (GHSA-4wcm-7hjf-6xw5) and fixing commit (8dd832dd302af287a61611f4f85e157cd1c6bb41) detail the patch, which addresses the injection by properly sanitizing or handling the branch name input before passing it to `exec()`. Security practitioners should advise users to update the package beyond version 1.1.4 via npm and audit dependencies or workflows using this tool.
Details
- CWE(s)