Willitmerge Command Injection Vulnerability

A command injection vulnerability has been identified in the Willitmerge command line tool, specifically in versions through 0.2.1. This vulnerability arises from the use of the child process execution API 'exec', which improperly concatenates user input into command strings. The injected commands can be executed in the context of the user running Willitmerge, potentially leading to unauthorized actions or file manipulations. At the time of publication, no fix has been released.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the system where Willitmerge is run.

Reproduction

To reproduce this vulnerability, install Willitmerge and execute it with a command that includes injected input, such as a remote URL containing a command to create a file in the '/tmp' directory. This can be done by appending a command injection payload to the remote option, which Willitmerge will execute as part of its normal operation.