CVE-2025-59046: 
JavaScript vulnerability analysis and mitigation

The npm package interactive-git-checkout (versions up to and including 1.1.4) contains a command injection vulnerability identified as CVE-2025-59046. The vulnerability was discovered and disclosed on September 9, 2025. The package is an interactive command-line tool that allows users to checkout git branches by prompting for branch names. The vulnerability affects all versions of the package up to version 1.1.4 (GitHub Advisory, NVD).

The vulnerability stems from improper input validation when passing branch names to the git checkout command. The software uses the Node.js child process module's exec() function without proper input sanitization, allowing for command injection. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (GitHub Advisory).

If exploited, this vulnerability allows attackers to execute arbitrary commands on the system where the package is installed. The high CVSS score indicates that successful exploitation could lead to complete system compromise, with potential impacts including unauthorized access to sensitive data, system modification, and service disruption (GitHub Advisory).

The vulnerability has been fixed in commit 8dd832dd302af287a61611f4f85e157cd1c6bb41, which replaces the vulnerable exec() function with execFile() to prevent command injection. Users should update their installations to versions containing this fix. If updating is not immediately possible, users should carefully validate branch names before using the tool (GitHub Commit).