AIKIDO-2026-10355
github.com/shini4i/argo-compare is vulnerable to Command Injection
70
High Risk
This Affects:
github.com/shini4i/argo-compareTL;DR
Affected versions of this package allowed insufficient validation of externally supplied diff tool names, which could enable command injection when invoking external diff utilities. The issue was addressed by rejecting names containing shell metacharacters such as ;&|$(){}[]<>!#"' and path traversal patterns. An attacker might exploit this by supplying a crafted tool name that injects additional shell commands or redirects execution to unintended binaries, potentially leading to arbitrary command execution in the context of the affected application.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/shini4i/argo-compare is vulnerable to Command Injection in versions 0.5.0 - 0.5.1.
How to fix this
Upgrade the github.com/shini4i/argo-compare library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant