Vulnerability Description
willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dontkry | Willitmerge | <= 0.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a58850Product
- https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6ExploitVendor Advisory
- https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6ExploitVendor Advisory
FAQ
What is CVE-2025-66219?
CVE-2025-66219 is a vulnerability with a CVSS score of 9.8 (CRITICAL). willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this ...
How severe is CVE-2025-66219?
CVE-2025-66219 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-66219?
Check the references section above for vendor advisories and patch information. Affected products include: Dontkry Willitmerge.