Git Command Injection Vulnerability in Repomix Tool
CVE-2026-49987
7.5HIGH
What is CVE-2026-49987?
The Repomix tool, which aggregates repositories into formats suitable for AI processing, exposes a security risk due to improper handling of Git commands in versions prior to 1.14.1. Specifically, the execGitShallowClone function passes the --remote-branch parameter directly to the git fetch and git checkout commands without validating it. This flaw allows an attacker to inject additional Git options, such as --upload-pack, potentially leading to unauthorized command execution over local or SSH-style transports. The issue was resolved in version 1.14.1.
Affected Version(s)
repomix < 1.14.1
