CVE-2025-59831: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59831 is a Command Injection vulnerability discovered in the git-commiters npm package. The vulnerability was discovered by security researcher Liran Tal and published on September 21, 2025. The vulnerability affects git-commiters versions prior to 0.1.2, with the patched version being 0.1.2 (GitHub Advisory).

The vulnerability exists in the library's primary exported API gitCommiters(options, callback), which accepts options including cwd (current working directory) and revisionRange (revision pointer). The core issue lies in the lack of input sanitization and secure process execution API implementation, allowing uncontrolled user input to be directly concatenated into command execution. The vulnerability has been assigned a High severity rating and is categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (GitHub Advisory).

When exploited, this vulnerability allows attackers to execute arbitrary system commands through the revisionRange parameter. The command injection can occur while the git-commiters functionality continues to work as expected, making it difficult to detect the exploitation in running applications (GitHub Advisory).

The vulnerability has been patched in version 0.1.2 of git-commiters. The fix includes implementing proper input sanitization by removing quotes and adding proper string escaping for the revisionRange parameter (Git Commit). Users should upgrade to version 0.1.2 or later to mitigate this vulnerability.