CVE-2025-66219

CVE-2025-66219 is a command injection vulnerability (CWE-77) affecting the willitmerge command-line tool, a utility for checking if pull requests are mergeable. The issue impacts versions 0.2.1 and prior, stemming from the insecure use of the child process execution API (exec), where untrusted user input—either from command-line flags or content under user control in the target repository—is directly concatenated into the executed command. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote exploitation with high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by any remote attacker with network access to a system running the affected willitmerge versions, requiring no privileges, authentication, or user interaction. By supplying malicious input via CLI flags or manipulating repository content, an attacker can inject arbitrary operating system commands, leading to full command execution on the host system with the privileges of the willitmerge process. This enables attackers to achieve unauthorized access, data exfiltration, system compromise, or denial of service.

The GitHub security advisory (GHSA-j9wj-m24m-7jj6) details the vulnerability, with code references highlighting the insecure exec usage in lib/willitmerge.js (lines 189-197). At the time of publication on 2025-11-29, no public fix was available, so practitioners should avoid using affected versions, monitor for updates from the repository maintainer, and consider alternatives for pull request mergeability checks until a patch is released.