{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dependency/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["repomix (\u003c 1.14.1)"],"_cs_severities":["high"],"_cs_tags":["command-injection","rce","git","supply-chain","dependency","linux"],"_cs_type":"advisory","_cs_vendors":["yamadashy"],"content_html":"\u003cp\u003eThe \u003ccode\u003erepomix\u003c/code\u003e CLI tool, a utility for managing repositories, contains a critical command injection vulnerability (CVE-2026-49987) in versions prior to 1.14.1. Discovered by Abhijith S. (@kakashi-kx), this flaw stems from improper handling of the \u003ccode\u003e--remote-branch\u003c/code\u003e argument within the \u003ccode\u003esrc/core/git/gitCommand.ts\u003c/code\u003e file. User-controlled input for \u003ccode\u003e--remote-branch\u003c/code\u003e is passed directly to \u003ccode\u003egit fetch\u003c/code\u003e and \u003ccode\u003egit checkout\u003c/code\u003e subprocesses via \u003ccode\u003echild_process.execFileAsync\u003c/code\u003e without proper sanitization or the use of \u003ccode\u003e--\u003c/code\u003e positional delimiters. This allows an attacker to inject arbitrary \u003ccode\u003egit\u003c/code\u003e command-line options, notably \u003ccode\u003e--upload-pack\u003c/code\u003e, alongside SSH or local remote URLs. The vulnerability effectively bypasses an existing \u003ccode\u003edangerousParams\u003c/code\u003e blocklist designed to prevent such attacks, as this validation was not applied to the \u003ccode\u003eremoteBranch\u003c/code\u003e parameter. Successful exploitation grants remote code execution capabilities, enabling an attacker to compromise systems running \u003ccode\u003erepomix\u003c/code\u003e with the privileges of the executing user, making CI/CD environments a significant target.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker invokes the \u003ccode\u003erepomix\u003c/code\u003e CLI tool, likely through a script or automated process.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies a specially crafted \u003ccode\u003e--remote-branch\u003c/code\u003e argument, for example, \u003ccode\u003e--upload-pack=/tmp/malicious-pack\u003c/code\u003e, to inject malicious options into the \u003ccode\u003egit\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erepomix\u003c/code\u003e's \u003ccode\u003eexecGitShallowClone\u003c/code\u003e function in \u003ccode\u003esrc/core/git/gitCommand.ts\u003c/code\u003e is called internally.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e--remote-branch\u003c/code\u003e argument, containing the injected \u003ccode\u003e--upload-pack\u003c/code\u003e option, is passed unsanitized to \u003ccode\u003edeps.execFileAsync\u003c/code\u003e which executes \u003ccode\u003egit fetch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egit\u003c/code\u003e process interprets \u003ccode\u003e--upload-pack=/tmp/malicious-pack\u003c/code\u003e as a valid argument to specify an alternate program for \u003ccode\u003eupload-pack\u003c/code\u003e operations.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egit\u003c/code\u003e attempts to invoke the attacker-controlled binary or script, such as \u003ccode\u003e/tmp/malicious-pack\u003c/code\u003e, as part of its transport helper process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/tmp/malicious-pack\u003c/code\u003e script executes arbitrary commands (e.g., \u003ccode\u003eid \u0026gt;\u0026gt; /tmp/repomix-pwned.txt\u003c/code\u003e) on the compromised system.\u003c/li\u003e\n\u003cli\u003eRemote Code Execution is achieved, allowing the attacker to run commands with the privileges of the user who executed \u003ccode\u003erepomix\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-49987 is remote code execution (RCE) on the system where \u003ccode\u003erepomix\u003c/code\u003e is executed. This grants attackers complete system compromise capabilities with the privileges of the running user. A significant concern is the potential compromise of CI/CD environments; if \u003ccode\u003erepomix\u003c/code\u003e is used in automated pipelines and its \u003ccode\u003e--remote-branch\u003c/code\u003e parameter is populated by external or untrusted triggers (e.g., webhook payloads, pull request titles), attackers can leverage this vulnerability to gain control of build servers. This could lead to exfiltration of sensitive data, deployment of malicious code, or further lateral movement within an organization's infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate \u003ccode\u003erepomix\u003c/code\u003e to version 1.14.1 or later immediately to patch CVE-2026-49987.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003egit\u003c/code\u003e process creation with suspicious \u003ccode\u003e--upload-pack\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eEnsure \u003ccode\u003eprocess_creation\u003c/code\u003e logging for Linux systems is enabled and configured to capture command-line arguments to activate the detection rule.\u003c/li\u003e\n\u003cli\u003eReview any CI/CD pipelines or automated workflows that utilize \u003ccode\u003erepomix\u003c/code\u003e and where the \u003ccode\u003e--remote-branch\u003c/code\u003e parameter might be populated by untrusted or external input.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:38:08Z","date_published":"2026-07-03T12:38:08Z","id":"https://feed.craftedsignal.io/briefs/2026-07-repomix-rce/","summary":"The `repomix` CLI tool is vulnerable to command injection (CVE-2026-49987) via unsanitized user input in the `--remote-branch` argument, allowing attackers to inject arbitrary `git` command-line options like `--upload-pack` and achieve remote code execution with the privileges of the running user, potentially leading to CI/CD pipeline compromise.","title":"repomix CLI Command Injection (RCE) via --remote-branch (CVE-2026-49987)","url":"https://feed.craftedsignal.io/briefs/2026-07-repomix-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Dependency","version":"https://jsonfeed.org/version/1.1"}