CVE-2025-66219
published 2025-11-29CVE-2025-66219: willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.41%
82.1th percentile
willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dontkry | willitmerge | <= 0.2.1 | — |
| shama | willitmerge | <= 0.2.1 | — |
| shama | willitmerge | 0 – 0.2.1 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
willitmerge has a Command Injection vulnerability
ghsa·2025-11-26
CVE-2025-66219 [MEDIUM] CWE-77 willitmerge has a Command Injection vulnerability
willitmerge has a Command Injection vulnerability
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version `[email protected]`.
Resources:
* Project's GitHub source code: https://github.com/shama/willitmerge/
* Project's npm package: https://www.npmjs.com/package/willitmerge
## Background on exploitation
Reporting a Command Injection vulnerability in `willitmerge` npm package.
A security vulnerability manifests in this package due to the use of insecure child process execution API (`exec`) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.
## Exploit
### POC 1
1. Install `willitmerge`
2. Run it with the following comma
OSV
willitmerge has a Command Injection vulnerability
osv·2025-11-26
CVE-2025-66219 [MEDIUM] willitmerge has a Command Injection vulnerability
willitmerge has a Command Injection vulnerability
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version `[email protected]`.
Resources:
* Project's GitHub source code: https://github.com/shama/willitmerge/
* Project's npm package: https://www.npmjs.com/package/willitmerge
## Background on exploitation
Reporting a Command Injection vulnerability in `willitmerge` npm package.
A security vulnerability manifests in this package due to the use of insecure child process execution API (`exec`) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.
## Exploit
### POC 1
1. Install `willitmerge`
2. Run it with the following comma
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-29
Published