Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
AnalysisAI
Command injection in the npm package degit (versions before 2.8.6 and 3.0.0 through 3.3.0) lets a remote attacker run arbitrary OS commands on a victim's host when the victim is induced to run degit against a maliciously crafted repository name. The flaw stems from unsanitised user input being concatenated into shell strings inside _cloneWithGit() and fetchRefs(); publicly available exploit code exists (a PoC gist is linked from the NVD references and CVSS reports E:P), but the issue is not in CISA KEV.
Technical ContextAI
degit is a widely used JavaScript scaffolding tool by Rich Harris (Svelte ecosystem) that copies the contents of a remote git repository without its history, typically invoked via 'npx degit user/repo'. The vulnerable code path used Node's child_process.exec() with template strings such as git clone ${this.repo.ssh} ${dest} and rm -rf ${path.resolve(dest, '.git')} inside _cloneWithGit(), and similar string-built commands in fetchRefs(). Because exec() spawns a shell, any shell metacharacter ($(), ;, &&, backticks) embedded in the parsed repository identifier is interpreted by /bin/sh, producing a classic CWE-78 OS Command Injection. The fix commits (4ac99e4 and d55bfd7) switch to the argv-array form ('git', ['clone', this.repo.ssh, dest]) which bypasses the shell entirely, and add eslint-plugin-security with detect-child-process enabled to prevent regressions.
RemediationAI
Vendor-released patch: upgrade to degit 2.8.6 (for 2.x users) or 3.3.1 (for 3.x users); the underlying fixes are commits 4ac99e4a4c3f53ca3b5c997bcd7542742ad0c443 and d55bfd7cea79c0b387f69ec8477b6c34abf9f226 on Rich-Harris/degit, and the advisory text is at https://security.snyk.io/vuln/SNYK-JS-DEGIT-17116207. If immediate upgrade is impossible, treat any 'degit <src>' argument as untrusted: refuse to invoke degit on values received from web forms, chat input, or unreviewed README copy-paste, and run degit inside a non-privileged sandbox (rootless container, ephemeral CI runner with no production credentials mounted) to bound the blast radius - the trade-off is build-time friction and the loss of cached credentials for private repos. Disabling the git-clone fallback by ensuring tar-based downloads succeed (network access to codeload.github.com) avoids _cloneWithGit() entirely but breaks SSH-only sources.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35349
GHSA-77c7-pq4r-6mcq