<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dependency - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/dependency/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:38:08 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/dependency/feed.xml" rel="self" type="application/rss+xml"/><item><title>repomix CLI Command Injection (RCE) via --remote-branch (CVE-2026-49987)</title><link>https://feed.craftedsignal.io/briefs/2026-07-repomix-rce/</link><pubDate>Fri, 03 Jul 2026 12:38:08 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-repomix-rce/</guid><description>The `repomix` CLI tool is vulnerable to command injection (CVE-2026-49987) via unsanitized user input in the `--remote-branch` argument, allowing attackers to inject arbitrary `git` command-line options like `--upload-pack` and achieve remote code execution with the privileges of the running user, potentially leading to CI/CD pipeline compromise.</description><content:encoded><![CDATA[<p>The <code>repomix</code> CLI tool, a utility for managing repositories, contains a critical command injection vulnerability (CVE-2026-49987) in versions prior to 1.14.1. Discovered by Abhijith S. (@kakashi-kx), this flaw stems from improper handling of the <code>--remote-branch</code> argument within the <code>src/core/git/gitCommand.ts</code> file. User-controlled input for <code>--remote-branch</code> is passed directly to <code>git fetch</code> and <code>git checkout</code> subprocesses via <code>child_process.execFileAsync</code> without proper sanitization or the use of <code>--</code> positional delimiters. This allows an attacker to inject arbitrary <code>git</code> command-line options, notably <code>--upload-pack</code>, alongside SSH or local remote URLs. The vulnerability effectively bypasses an existing <code>dangerousParams</code> blocklist designed to prevent such attacks, as this validation was not applied to the <code>remoteBranch</code> parameter. Successful exploitation grants remote code execution capabilities, enabling an attacker to compromise systems running <code>repomix</code> with the privileges of the executing user, making CI/CD environments a significant target.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker invokes the <code>repomix</code> CLI tool, likely through a script or automated process.</li>
<li>The attacker supplies a specially crafted <code>--remote-branch</code> argument, for example, <code>--upload-pack=/tmp/malicious-pack</code>, to inject malicious options into the <code>git</code> command.</li>
<li><code>repomix</code>'s <code>execGitShallowClone</code> function in <code>src/core/git/gitCommand.ts</code> is called internally.</li>
<li>The malicious <code>--remote-branch</code> argument, containing the injected <code>--upload-pack</code> option, is passed unsanitized to <code>deps.execFileAsync</code> which executes <code>git fetch</code>.</li>
<li>The <code>git</code> process interprets <code>--upload-pack=/tmp/malicious-pack</code> as a valid argument to specify an alternate program for <code>upload-pack</code> operations.</li>
<li><code>git</code> attempts to invoke the attacker-controlled binary or script, such as <code>/tmp/malicious-pack</code>, as part of its transport helper process.</li>
<li>The <code>/tmp/malicious-pack</code> script executes arbitrary commands (e.g., <code>id &gt;&gt; /tmp/repomix-pwned.txt</code>) on the compromised system.</li>
<li>Remote Code Execution is achieved, allowing the attacker to run commands with the privileges of the user who executed <code>repomix</code>.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of CVE-2026-49987 is remote code execution (RCE) on the system where <code>repomix</code> is executed. This grants attackers complete system compromise capabilities with the privileges of the running user. A significant concern is the potential compromise of CI/CD environments; if <code>repomix</code> is used in automated pipelines and its <code>--remote-branch</code> parameter is populated by external or untrusted triggers (e.g., webhook payloads, pull request titles), attackers can leverage this vulnerability to gain control of build servers. This could lead to exfiltration of sensitive data, deployment of malicious code, or further lateral movement within an organization's infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update <code>repomix</code> to version 1.14.1 or later immediately to patch CVE-2026-49987.</li>
<li>Deploy the provided Sigma rule to detect <code>git</code> process creation with suspicious <code>--upload-pack</code> arguments.</li>
<li>Ensure <code>process_creation</code> logging for Linux systems is enabled and configured to capture command-line arguments to activate the detection rule.</li>
<li>Review any CI/CD pipelines or automated workflows that utilize <code>repomix</code> and where the <code>--remote-branch</code> parameter might be populated by untrusted or external input.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command-injection</category><category>rce</category><category>git</category><category>supply-chain</category><category>dependency</category><category>linux</category></item></channel></rss>