CVE-2025-66219 identifies a command injection vulnerability in the open-source command line tool willitmerge, developed by the shama project, which is designed to determine if pull requests are mergeable. The vulnerability exists in versions 0.2.1 and earlier due to the unsafe use of the Node.js exec API (or a similar child process execution function) that concatenates user-controlled input directly into shell commands without proper sanitization or escaping. This improper neutralization of special elements (CWE-77) allows an attacker to inject arbitrary shell commands that the system will execute with the privileges of the running process. The vulnerability can be triggered by supplying crafted input either via command-line flags or through manipulated content in the target repository, which willitmerge processes. Since the tool is typically used in automated CI/CD pipelines or developer environments, exploitation can occur remotely without authentication or user interaction, increasing the attack surface. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on integrity (VI:L), with no impact on confidentiality or availability. No patches or mitigations have been publicly released at the time of disclosure, and no known exploits are currently in the wild. This vulnerability poses a risk of arbitrary command execution, potentially leading to unauthorized code execution, data tampering, or further compromise of development infrastructure.

For European organizations, especially those relying on willitmerge within their software development lifecycle, this vulnerability could lead to unauthorized command execution on build or integration servers. This may result in codebase tampering, injection of malicious code into production branches, or compromise of CI/CD infrastructure. The integrity of software artifacts and development pipelines could be undermined, causing cascading effects on software supply chain security. Organizations handling sensitive or regulated data may face compliance risks if attackers leverage this vulnerability to exfiltrate data or disrupt operations. Since exploitation requires no authentication or user interaction, attackers can remotely target vulnerable systems, increasing the risk of widespread impact. The medium severity rating reflects the significant integrity impact and ease of exploitation, though confidentiality and availability impacts are limited. European entities with mature DevOps practices and extensive use of open-source tools are particularly exposed.

Immediate mitigation involves discontinuing use of willitmerge versions 0.2.1 and earlier until a secure patch is released. Organizations should audit their CI/CD pipelines and development environments to identify and isolate instances of willitmerge. Applying strict input validation and sanitization on any user-supplied data that may reach willitmerge is critical to reduce injection risk. Running willitmerge processes with least privilege and within isolated containers or sandboxed environments can limit potential damage from exploitation. Monitoring and logging command execution and unusual process activity in build environments can help detect exploitation attempts. If feasible, replacing willitmerge with alternative tools that do not exhibit this vulnerability is advisable. Organizations should also track vendor advisories for forthcoming patches and apply them promptly once available. Incorporating security scanning tools that detect command injection patterns in code and configurations can prevent similar issues.