CVE-2025-59831: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59831 affects the git-commiters Node.js module, which provides functionality for retrieving committer statistics from git repositories. The vulnerability was discovered and disclosed on September 25, 2025, affecting versions prior to 0.1.2. This command injection vulnerability exists in the module's primary exported API: gitCommiters(options, callback) (GitHub Advisory).

The vulnerability stems from improper input sanitization in the gitCommiters function when handling the revisionRange parameter. The function fails to properly sanitize user input and doesn't implement secure process execution API to separate commands from their arguments, leading to command injection possibilities. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. It is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-77 (Improper Neutralization of Special Elements used in a Command) (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary commands through the revisionRange parameter. The impact is particularly concerning as the git commiters functionality continues to work as expected even after command injection, making it difficult to detect in running applications (GitHub Advisory).

The vulnerability has been patched in version 0.1.2 of the git-commiters package. The fix includes proper input sanitization by removing quotes from the revisionRange parameter and adding proper string escaping (GitHub Commit). Users should upgrade to version 0.1.2 or later to mitigate this vulnerability.