VDB
KO
HIGH 8.8

GHSA-vhhw-xjvf-wprr

Command Injection in @graphql-tools/git-loader

Details

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @graphql-tools/git-loader
Introduced in: 0 Fixed in: 6.2.6
Fix npm install @graphql-tools/git-loader@6.2.6

References