CVE-2022-25900: 
JavaScript vulnerability analysis and mitigation

The git-clone npm package (all versions) contains a Command Injection vulnerability (CVE-2022-25900) due to insecure usage of the --upload-pack feature of git. This vulnerability was discovered and disclosed on March 28, 2022, and published on June 28, 2022. The package receives approximately 230,000 downloads per week, making this a significant security concern (GitHub PoC, Snyk Report).

The vulnerability stems from improper handling of user input in the git-clone package. The source code attempts to mitigate user input concatenation by adding arguments to the command being executed before adding a double dash, but this implementation is flawed. When user-controlled options are provided to the clone() function through the options.args array, attackers can inject commands that will be executed during the cloning process. The vulnerability has been assigned a CVSS base score of 8.1 (High) by Snyk, with critical impacts on confidentiality, integrity, and availability (Snyk Report).

The vulnerability allows attackers to execute arbitrary commands on the operating system where the git-clone package is being used. This can lead to a total loss of confidentiality, integrity, and availability of the affected system. An attacker can potentially access restricted information, modify protected files, and cause denial of service conditions (Snyk Report).

There is no fixed version available for the git-clone package. As a workaround, the package maintainers have added a note to the README file advising users to only use the args option with static/trusted input (Snyk Report).