GHSA-g38c-wxjf-xrh6: 
JavaScript vulnerability analysis and mitigation

git-commiters, a Node.js function module providing committers stats for git repositories, was found to contain a command injection vulnerability (CVE-2025-59831) prior to version 0.1.2. The vulnerability was discovered by security researcher Liran Tal and publicly disclosed on September 21, 2025. The issue affects all versions of the package before 0.1.2 (GitHub Advisory).

The vulnerability manifests in the library's primary exported API gitCommiters(options, callback), which accepts options including cwd for current working directory and revisionRange as a revision pointer. The core issue stems from the library's failure to properly sanitize user input or implement secure process execution API to separate commands from their arguments, resulting in uncontrolled user input being directly concatenated into command execution. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (High), with attack vector being Network, attack complexity Low, and no privileges required (GitHub Advisory).

A successful exploitation of this vulnerability allows attackers to execute arbitrary commands on the affected system through command injection. The vulnerability impacts the confidentiality, integrity, and availability of the vulnerable system with high severity, while having no impact on subsequent systems (GitHub Advisory).

The vulnerability has been patched in version 0.1.2 of git-commiters. Users should upgrade to this version or later to mitigate the risk. The fix involves proper sanitization of the revisionRange parameter by removing quotes and adding proper string escaping (GitHub Commit).