CVE-2023-26143: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26143 affects versions of the blamer package before 1.0.4, which is a tool for getting information about code authors from version control systems. The vulnerability was discovered by Liran Tal and was disclosed on June 22, 2023, with a fix released in version 1.0.4 on September 17, 2023 (GitHub Commit, Snyk Report).

The vulnerability is classified as an Arbitrary Argument Injection vulnerability (CWE-88) with a CVSS v3.1 base score of 9.1 (Critical). The issue exists in the blameByFile() API, where the library fails to properly sanitize user input or validate file paths. Additionally, it does not correctly implement the double-dash POSIX characters (--) when passing command-line flags to the git binary to indicate the end of options (GitHub Gist).

When exploited, this vulnerability allows attackers to inject arbitrary arguments into git commands, potentially leading to file overwrites through the --output= command-line option. The vulnerability has a high impact on system integrity and availability, though confidentiality remains unaffected (Snyk Report).

Users should upgrade to blamer version 1.0.4 or higher, which includes a fix for this vulnerability. The fix was implemented by adding proper file existence checks and input validation (GitHub Commit).