CVE-2024-21532 is a command injection vulnerability found in all versions of the ggit package, specifically within the fetchTags(branch) API. This API accepts a branch name as input and concatenates it directly into a git command string, which is then executed using Node.js's child_process exec() function without proper sanitization or validation. Because exec() runs commands in a shell, an attacker can inject arbitrary shell commands by crafting malicious branch names. The vulnerability requires no privileges or user interaction, making it remotely exploitable over any interface that exposes this API. The CVSS v3.1 base score is 7.3, indicating high severity, with attack vector network, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. Although no public exploits are known yet, the nature of the vulnerability allows for remote code execution, which could lead to system compromise, data leakage, or service disruption. The lack of patches or mitigations currently published increases the urgency for users to implement workarounds or restrict access to vulnerable endpoints.

The vulnerability enables remote attackers to execute arbitrary commands on systems running ggit, potentially leading to unauthorized access, data exfiltration, or disruption of services. Confidentiality may be compromised if sensitive data is accessed or leaked. Integrity can be affected if attackers modify code repositories or system files. Availability may be impacted if attackers execute destructive commands or disrupt git operations. Organizations relying on ggit for source code management or automation could face significant operational risks, including supply chain compromise or lateral movement within networks. The ease of exploitation and lack of authentication requirements increase the threat level, especially for publicly accessible services or CI/CD pipelines integrating ggit.

Until an official patch is released, organizations should implement strict input validation and sanitization on any user-supplied branch names passed to the fetchTags API. Restrict network access to the ggit service to trusted users and internal networks only. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block suspicious command injection patterns. Consider replacing calls to exec() with safer alternatives like execFile() or spawn() that do not invoke a shell, or refactor the code to avoid concatenating user input into shell commands. Monitor logs for unusual git command executions or shell activity. Keep dependencies up to date and subscribe to security advisories for ggit to apply patches promptly once available.