Cyber Resilience

CVE-2025-66219

MediumPublic PoC

Published: 29 November 2025

Published
29 November 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 53.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66219 is a medium-severity Command Injection (CWE-77) vulnerability in Dontkry Willitmerge. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-66219 is a command injection vulnerability (CWE-77) affecting the willitmerge command-line tool, a utility for checking if pull requests are mergeable. The issue impacts versions 0.2.1 and prior, stemming from the insecure use of the child process execution API (exec), where untrusted user input—either from command-line flags or content under user control in the target repository—is directly concatenated into the executed command. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote exploitation with high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by any remote attacker with network access to a system running the affected willitmerge versions, requiring no privileges, authentication, or user interaction. By supplying malicious input via CLI flags or manipulating repository content, an attacker can inject arbitrary operating system commands, leading to full command execution on the host system with the privileges of the willitmerge process. This enables attackers to achieve unauthorized access, data exfiltration, system compromise, or denial of service.

The GitHub security advisory (GHSA-j9wj-m24m-7jj6) details the vulnerability, with code references highlighting the insecure exec usage in lib/willitmerge.js (lines 189-197). At the time of publication on 2025-11-29, no public fix was available, so practitioners should avoid using affected versions, monitor for updates from the repository maintainer, and consider alternatives for pull request mergeability checks until a patch is released.

EU & UK References

Vulnerability details

willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process…

more

execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection vulnerability via insecure child process exec allows arbitrary OS command execution, directly enabling T1059 Command and Scripting Interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-54416Shared CWE-77
CVE-2024-8402Shared CWE-77
CVE-2025-67397Shared CWE-77
CVE-2025-57199Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2025-9223Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-70093Shared CWE-77

Affected Assets

dontkry
willitmerge
≤ 0.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, documenting, and remediating the command injection flaw in willitmerge versions 0.2.1 and prior through patching, updating, or removal to eliminate the vulnerability.

prevent

Mandates validation and sanitization of untrusted user inputs from CLI flags and repository content before use in child process execution, blocking malicious command injection payloads.

prevent

Enforces execution of the willitmerge process with least privileges, confining the scope and impact of any successful command injection to minimal system access.

References