Vulnerability Metadata | Field | Detail | | --| --| | Affected Component | src/core/git/gitCommand.ts (execGitShallowClone) | | Impact | Arbitrary Command Execution / Security Control Bypass | Summary The --remote-branc…
| CVE ID | CVE-2026-49987 |
| Vendor | npm |
| Affected Product | repomix |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.8 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
| --- | --- | | Affected Component | src/core/git/gitCommand.ts (execGitShallowClone) | | Impact | Arbitrary Command Execution / Security Control Bypass |
--remote-branch CLI option in repomix is vulnerable to argument injection. User-supplied input is passed directly to git fetch and git checkout subprocesses via child_process.execFileAsync without sanitization, -- delimiters, or validation. An attacker can inject arbitrary git command-line options. By injecting the --upload-pack option and specifying an SSH (git@...) or local (file://) remote URL, an attacker achieves arbitrary command execution with the privileges of the user running repomix. This bypasses the existing dangerousParams blockliSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.