Home > Vulnerability Database > CVE-2025-11148

Mend.io Vulnerability Database

CVE-2025-11148

Good to know:

Date: September 30, 2025

All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions which can be abused: 1. It trusts branch names as they are (plain text) 2. It spawns git commands by concatenating user input Since a branch name is potentially a user input - as users can create branches remotely via pull requests, or simply due to privileged access to a repository - it can effectively be abused to run any command.

Severity Score

9.8

Related Resources (4)

Url: https://github.com/puntorigen/check-branches

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-11148

Url: https://gist.github.com/lirantal/054b4ad039a86c418f2c84e3e884d6ec

Url: https://www.mend.io/vulnerability-database/CVE-2025-11148

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-11148

Good to know:

Date: September 30, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?