AIKIDO-2026-666371
@argos-ci/core is vulnerable to OS Command Injection
75
High Risk
This Affects:
@argos-ci/coreTL;DR
@argos-ci/core passes attacker-controlled CI branch and ref names directly into execSync template literals in its git helper functions. Because execSync runs the command string through a shell, metacharacters such as $() command substitution in a branch name are evaluated before git executes. When a project has remote content access disabled, the upload flow resolves a merge base using the unsanitized branch, letting an attacker who controls the branch name run arbitrary OS commands on the CI runner. The fix invokes git via execFileSync with an argument array so the values are passed literally and never reach a shell.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your project has remote content access disabled.
Background info
@argos-ci/core is vulnerable to OS Command Injection in versions 0.1.0 - 6.2.0.
How to fix this
Upgrade the @argos-ci/core library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant