Cyber Resilience

CVE-2025-59831

HighPublic PoCRCE

Published: 25 September 2025

Published
25 September 2025
Modified
16 October 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 42.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59831 is a high-severity Command Injection (CWE-77) vulnerability in Riceball Git-Commiters. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-59831 is a command injection vulnerability (CWE-77, CWE-78) in the git-commiters Node.js module, which provides committers statistics for Git repositories. The issue affects versions prior to 0.1.2 and arises in the primary exported API, gitCommiters(options, callback), where user-supplied options such as cwd (current working directory) and revisionRange (e.g., HEAD) are not sanitized. Instead, this uncontrolled input is directly concatenated into underlying command executions without using secure process APIs to separate commands from arguments, enabling injection of arbitrary shell commands.

Attackers can exploit this vulnerability over the network with low complexity and no privileges required, though user interaction is necessary to induce a victim-controlled application to invoke the vulnerable API with malicious options. Successful exploitation grants high-impact arbitrary command execution on the host running the Node.js application, potentially compromising confidentiality, integrity, and availability (CVSS 8.8: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). This targets developers or systems integrating git-commiters for repository analysis.

The vulnerability has been patched in version 0.1.2 of git-commiters, as detailed in the GitHub security advisory (GHSA-g38c-wxjf-xrh6) and the fixing commit (7f0abfedbf506e3a61ac875d91324a8dbe756e84). Security practitioners should update to 0.1.2 or later and audit applications using this module for untrusted input handling in cwd or revisionRange options.

EU & UK References

Vulnerability details

git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options…

more

such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct command injection into unsanitized shell command execution (cwd/revisionRange) enables arbitrary Unix shell command execution via T1059.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-53700Shared CWE-77, CWE-78
CVE-2026-24905Shared CWE-77, CWE-78
CVE-2026-2120Shared CWE-77, CWE-78
CVE-2026-9454Shared CWE-77, CWE-78
CVE-2025-25743Shared CWE-77
CVE-2026-6116Shared CWE-77, CWE-78
CVE-2026-6158Shared CWE-77, CWE-78
CVE-2026-7138Shared CWE-77, CWE-78
CVE-2025-9387Shared CWE-77, CWE-78
CVE-2025-15472Shared CWE-77, CWE-78

Affected Assets

riceball
git-commiters
≤ 0.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Patching git-commiters to version 0.1.2 or later directly remediates the command injection vulnerability by employing secure process execution APIs.

prevent

Validating and sanitizing untrusted inputs for cwd and revisionRange options before invoking gitCommiters prevents arbitrary command injection.

detect

Vulnerability scanning identifies deployments using vulnerable git-commiters versions prior to 0.1.2, enabling proactive flaw remediation.

References