CVE-2025-59831
Published: 25 September 2025
Summary
CVE-2025-59831 is a high-severity Command Injection (CWE-77) vulnerability in Riceball Git-Commiters. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Patching git-commiters to version 0.1.2 or later directly remediates the command injection vulnerability by employing secure process execution APIs.
Validating and sanitizing untrusted inputs for cwd and revisionRange options before invoking gitCommiters prevents arbitrary command injection.
Vulnerability scanning identifies deployments using vulnerable git-commiters versions prior to 0.1.2, enabling proactive flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct command injection into unsanitized shell command execution (cwd/revisionRange) enables arbitrary Unix shell command execution via T1059.004.
NVD Description
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options…
more
such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
Deeper analysisAI
CVE-2025-59831 is a command injection vulnerability (CWE-77, CWE-78) in the git-commiters Node.js module, which provides committers statistics for Git repositories. The issue affects versions prior to 0.1.2 and arises in the primary exported API, gitCommiters(options, callback), where user-supplied options such as cwd (current working directory) and revisionRange (e.g., HEAD) are not sanitized. Instead, this uncontrolled input is directly concatenated into underlying command executions without using secure process APIs to separate commands from arguments, enabling injection of arbitrary shell commands.
Attackers can exploit this vulnerability over the network with low complexity and no privileges required, though user interaction is necessary to induce a victim-controlled application to invoke the vulnerable API with malicious options. Successful exploitation grants high-impact arbitrary command execution on the host running the Node.js application, potentially compromising confidentiality, integrity, and availability (CVSS 8.8: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). This targets developers or systems integrating git-commiters for repository analysis.
The vulnerability has been patched in version 0.1.2 of git-commiters, as detailed in the GitHub security advisory (GHSA-g38c-wxjf-xrh6) and the fixing commit (7f0abfedbf506e3a61ac875d91324a8dbe756e84). Security practitioners should update to 0.1.2 or later and audit applications using this module for untrusted input handling in cwd or revisionRange options.
Details
- CWE(s)