CVE-2022-24376: 
JavaScript vulnerability analysis and mitigation

All versions of the git-promise package are vulnerable to Command Injection (CVE-2022-24376). The vulnerability was discovered by Liran Tal and disclosed on March 28, 2022. This security issue affects the core functionality of the package, which is designed to run git commands using an intuitive syntax (Snyk Report).

The vulnerability stems from an inappropriate fix of a prior command injection vulnerability. The fix attempted to separate command arguments using whitespace splitting logic, but this can be bypassed using alternative input methods. The vulnerability has a CVSS base score of 7.5, indicating high severity. The issue allows attackers to execute arbitrary commands by using either tab characters instead of spaces or by utilizing shell's predefined separator ${IFS} to bypass the whitespace splitting logic (GitHub Gist).

Successful exploitation of this vulnerability can lead to total loss of confidentiality, integrity, and availability of the affected system. An attacker can execute arbitrary commands, potentially gaining complete control over the system where the package is implemented (Snyk Report).

There is no fixed version available for the git-promise package. The maintainers have updated the README file with a warning regarding this issue instead of providing a patch. Users are advised to consider alternative packages or implement additional security controls to mitigate the risk (Snyk Report).