CVE-2023-26134: 
JavaScript vulnerability analysis and mitigation

Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection. The vulnerability exists in the package-exported method gitCommitInfo() which fails to sanitize its parameter commit, which later flows into a sensitive command execution API. The vulnerability was discovered and disclosed on June 26, 2023, and affects all versions of the git-commit-info package prior to version 2.0.2 (Snyk Advisory).

The vulnerability is classified as a Command Injection (CWE-77) with a CVSS v3.1 base score of 9.8 CRITICAL. The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. The vulnerability allows attackers to inject malicious commands when they control the hash content parameter. The vulnerability stems from improper validation of the commit parameter before it is passed to command execution APIs (NVD, Snyk Advisory).

The vulnerability can lead to a complete compromise of system confidentiality, integrity, and availability. Successful exploitation allows attackers to execute arbitrary commands within the context of the application running the vulnerable package. This could result in unauthorized access to sensitive information, system modification, or service disruption (Snyk Advisory).

The recommended mitigation is to upgrade git-commit-info to version 2.0.2 or higher. The fix implements proper validation of commit hashes before execution by adding a regex check that ensures the commit parameter matches the expected format of a git hash (GitHub Patch).