CVE-2026-49987 in repomix
Summary
by MITRE • 07/15/2026
Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in Repomix affects versions prior to 1.14.1 where the gitCommand.ts file in the core module fails to properly sanitize user input when executing git operations. This flaw exists specifically in the execGitShallowClone function which directly passes the --remote-branch parameter to git fetch and git checkout commands without proper validation or sanitization measures. The absence of --end-of-options flag creates a critical injection vector that allows attackers to manipulate Git command execution through carefully crafted remote branch names.
This security weakness stems from improper input handling and command construction practices that violate fundamental principles of secure coding. The vulnerability enables command injection attacks by bypassing existing validateGitUrl() checks that are designed to prevent dangerous parameters from being passed to Git operations. When the --remote-branch parameter is not properly validated, it can contain malicious Git options such as --upload-pack or other command-line switches that alter the intended behavior of Git commands.
The operational impact of this vulnerability is significant as it allows for arbitrary command execution through both local and SSH-style Git transports. Attackers can leverage this flaw to execute unauthorized Git operations on systems where Repomix is installed, potentially leading to data compromise, unauthorized code execution, or escalation of privileges. The vulnerability affects the core functionality of repository management within the tool, making it a critical security concern for any environment where Repomix processes untrusted repository data.
The fix implemented in version 1.14.1 addresses this issue by ensuring proper validation of the --remote-branch parameter and incorporating the --end-of-options flag to prevent option injection attacks. This remediation aligns with secure coding practices recommended in CWE-78 and CWE-88 categories, which specifically address command injection vulnerabilities through improper input sanitization. The solution follows ATT&CK technique T1059.001 for command and scripting interpreter, as the vulnerability enables execution of arbitrary commands through Git operations.
Organizations using Repomix should immediately update to version 1.14.1 or later to mitigate this risk. Security teams should also implement monitoring for unusual Git command patterns that might indicate exploitation attempts. The vulnerability demonstrates the importance of input validation in security-critical applications and highlights the need for proper command construction practices that prevent option injection attacks through the use of end-of-options separators and comprehensive parameter sanitization.