CVE-2022-42906 in powerline-gitstatus
Summary
by MITRE • 10/13/2022
powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory to one controlled by the attacker, such as in a shared filesystem or extracted archive, powerline-gitstatus will run arbitrary commands under the attacker's control. NOTE: this is similar to CVE-2022-20001.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/15/2025
The vulnerability identified as CVE-2022-42906 affects powerline-gitstatus, a component used to display git repository information within powerline prompts. This issue represents a critical arbitrary code execution flaw that stems from the improper handling of git repository configurations within the powerline-gitstatus utility. The vulnerability exists in versions prior to 1.3.2 and creates a significant security risk for systems where users interact with potentially malicious repositories. The flaw directly relates to how the utility processes git repository information when users navigate to directories containing git repositories, creating an attack surface where command execution can be triggered through repository configuration files.
The technical root cause of this vulnerability lies in the automatic execution of git commands during directory changes without proper input sanitization or security context validation. Git repositories can contain per-repository configuration files such as .gitconfig that can define custom commands to be executed during git operations. When powerline-gitstatus processes directory changes, it automatically invokes git commands to gather repository status information for display purposes. This automatic behavior creates an opportunity for attackers to place malicious git configuration files within repositories, which then execute arbitrary commands when the powerline prompt processes the repository information. The vulnerability operates under the principle of command injection through legitimate git functionality, where the security boundary between user interaction and repository processing becomes compromised.
The operational impact of this vulnerability extends beyond simple code execution to encompass potential full system compromise when users interact with malicious repositories. Attackers can leverage this vulnerability by placing specially crafted git configuration files in shared filesystems, extracted archives, or other locations where users might navigate. The attack vector becomes particularly dangerous in environments where users frequently change directories or work with untrusted code repositories. When a user changes to a directory containing malicious git configuration, the powerline-gitstatus component executes commands with the privileges of the user running the shell, potentially leading to privilege escalation, data exfiltration, or system compromise. The vulnerability is classified as a command injection issue with characteristics similar to CVE-2022-20001, indicating a pattern of security flaws in git-related tools that handle repository configuration files without proper security controls.
Mitigation strategies for CVE-2022-42906 primarily focus on updating to version 1.3.2 or later, which includes proper sanitization of git repository configurations and removal of automatic command execution during directory changes. Organizations should implement comprehensive patch management processes to ensure all systems using powerline-gitstatus are updated. Additional protective measures include restricting directory access in shared environments, implementing proper repository validation procedures, and configuring powerline-gitstatus to operate in a restricted security context. The vulnerability aligns with CWE-78 (Improper Neutralization of Special Elements used in OS Command) and follows attack patterns described in the MITRE ATT&CK framework under T1059.001 (Command and Scripting Interpreter: PowerShell) and T1068 (Exploitation for Privilege Escalation). Security teams should also consider monitoring for unusual git command execution patterns and implement network segmentation to limit the impact of potential exploitation in environments where shared filesystems are prevalent.