CVE-2025-59046

npm · interactive-git-checkout

The npm package interactive-git-checkout contains a vulnerability that may allow for unauthorized command execution or system compromise.

Executive summary

A critical vulnerability has been identified in the interactive-git-checkout npm package that poses a high risk to developer environments and build pipelines.

Vulnerability

The vulnerability exists within the interactive command-line tool, which manages git branch checkouts and prompts for user input. The nature of the flaw suggests potential for command injection or improper input validation during the branch selection process.

Business impact

The CVSS score of 9.8 indicates a critical severity level, potentially allowing an attacker to execute arbitrary commands with the privileges of the user running the tool. This could lead to full system compromise, exfiltration of source code, or the injection of malicious code into development and production environments.

Remediation

Immediate Action: Audit all projects using the interactive-git-checkout package and verify if the package is necessary for current workflows. If a patched version is not available, remove the dependency or migrate to a secure alternative.

Proactive Monitoring: Monitor build logs and developer workstations for anomalous shell commands or unexpected child processes spawned by git-related utilities.

Compensating Controls: Restrict developer access to sensitive production keys and environment variables on machines where this package is installed to limit the blast radius.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical CVSS rating, organizations should treat this vulnerability with high priority, particularly within CI/CD pipelines. Immediate removal or containment of the affected package is advised until an official security update is confirmed and applied.