Vulnerability Description
All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions which can be abused: 1. It trusts branch names as they are (plain text) 2. It spawns git commands by concatenating user input Since a branch name is potentially a user input - as users can create branches remotely via pull requests, or simply due to privileged access to a repository - it can effectively be abused to run any command.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://gist.github.com/lirantal/054b4ad039a86c418f2c84e3e884d6ec
- https://security.snyk.io/vuln/SNYK-JS-CHECKBRANCHES-2766494
FAQ
What is CVE-2025-11148?
CVE-2025-11148 is a vulnerability with a CVSS score of 9.8 (CRITICAL). All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git br...
How severe is CVE-2025-11148?
CVE-2025-11148 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-11148?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.