willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.
References
| Link | Resource |
|---|---|
| https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197 | Product |
| https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6 | Exploit Vendor Advisory |
| https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6 | Exploit Vendor Advisory |
Configurations
History
19 Dec 2025, 15:52
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Dontkry
Dontkry willitmerge |
|
| References | () https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197 - Product | |
| References | () https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6 - Exploit, Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| CPE | cpe:2.3:a:dontkry:willitmerge:*:*:*:*:*:node.js:*:* |
01 Dec 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6 - |
29 Nov 2025, 02:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-29 02:15
Updated : 2025-12-19 15:52
NVD link : CVE-2025-66219
Mitre link : CVE-2025-66219
CVE.ORG link : CVE-2025-66219
JSON object : View
Products Affected
dontkry
- willitmerge
CWE
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')