CVE-2026-25542: Git Argument Injection

Git argument injection detected. A user-controlled variable is passed to a git command without using the `--` end-of-options separator. This can allow an attacker to inject git command-line flags (e.g., `--upload-pack`) leading to remote code execution. Ensure `--` is used before any dynamic arguments.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0go

greprules fetch cve-2026-25542-git-argument-injection --engine opengrep

Description

Git argument injection detected. A user-controlled variable is passed to a git command without using the `--` end-of-options separator. This can allow an attacker to inject git command-line flags (e.g., `--upload-pack`) leading to remote code execution. Ensure `--` is used before any dynamic arguments.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 108 downloads
0 direct108 via packs
· 0 stars · Trust score 61How trust works
Included packs: 2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark useful Report false positive Suggest metadata