CVE-2025-66219
Published: 29 November 2025
Summary
CVE-2025-66219 is a critical-severity Command Injection (CWE-77) vulnerability in Dontkry Willitmerge. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 46.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, documenting, and remediating the command injection flaw in willitmerge versions 0.2.1 and prior through patching, updating, or removal to eliminate the vulnerability.
Mandates validation and sanitization of untrusted user inputs from CLI flags and repository content before use in child process execution, blocking malicious command injection payloads.
Enforces execution of the willitmerge process with least privileges, confining the scope and impact of any successful command injection to minimal system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability via insecure child process exec allows arbitrary OS command execution, directly enabling T1059 Command and Scripting Interpreter.
NVD Description
willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process…
more
execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.
Deeper analysisAI
CVE-2025-66219 is a command injection vulnerability (CWE-77) affecting the willitmerge command-line tool, a utility for checking if pull requests are mergeable. The issue impacts versions 0.2.1 and prior, stemming from the insecure use of the child process execution API (exec), where untrusted user input—either from command-line flags or content under user control in the target repository—is directly concatenated into the executed command. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote exploitation with high impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by any remote attacker with network access to a system running the affected willitmerge versions, requiring no privileges, authentication, or user interaction. By supplying malicious input via CLI flags or manipulating repository content, an attacker can inject arbitrary operating system commands, leading to full command execution on the host system with the privileges of the willitmerge process. This enables attackers to achieve unauthorized access, data exfiltration, system compromise, or denial of service.
The GitHub security advisory (GHSA-j9wj-m24m-7jj6) details the vulnerability, with code references highlighting the insecure exec usage in lib/willitmerge.js (lines 189-197). At the time of publication on 2025-11-29, no public fix was available, so practitioners should avoid using affected versions, monitor for updates from the repository maintainer, and consider alternatives for pull request mergeability checks until a patch is released.
Details
- CWE(s)