push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| push-dir(npm) | 0 | N/A | N/A |
CVSS Metrics
