CVE-2025-66219 identifies a command injection vulnerability in the open-source command line tool willitmerge, developed by the shama project. willitmerge is designed to programmatically determine if pull requests can be merged, commonly integrated into CI/CD pipelines. Versions 0.2.1 and earlier use the Node.js exec API insecurely by concatenating user-controlled input directly into shell commands without neutralizing special characters or sanitizing inputs. This improper neutralization (CWE-77) allows an attacker to inject arbitrary shell commands that the system executes with the same privileges as the willitmerge process. The vulnerability can be triggered remotely without authentication or user interaction, as inputs can come from command-line flags or repository content under user control. Exploitation could allow attackers to execute arbitrary commands, potentially altering code, injecting malicious payloads, or disrupting development workflows. At the time of publication, no patch or fix is publicly available, increasing the risk for organizations relying on this tool. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on integrity. No known exploits in the wild have been reported yet, but the vulnerability’s nature and ease of exploitation make it a significant risk for software supply chain security.

For European organizations, especially those with mature DevOps and CI/CD practices integrating willitmerge, this vulnerability poses a risk of unauthorized command execution within development environments. Attackers could manipulate pull request checks to inject malicious code or disrupt merge processes, potentially leading to compromised codebases or supply chain attacks. This could affect software integrity, delay development cycles, and introduce backdoors or vulnerabilities into production systems. The medium severity rating reflects limited impact on confidentiality and availability but a tangible threat to integrity. Organizations relying on automated merge checks in open source or internal repositories are particularly vulnerable. The absence of a patch increases exposure duration, and attackers exploiting this flaw could target critical infrastructure or sensitive projects, amplifying the impact. Additionally, compromised development tools could undermine trust in software supply chains, a key concern for European regulators and industries.

Immediate mitigation involves discontinuing use of willitmerge versions 0.2.1 and earlier until a secure update is released. Organizations should audit their CI/CD pipelines to identify usage of willitmerge and isolate or sandbox its execution environment to limit potential damage from exploitation. Input validation and sanitization should be implemented at the integration points where user input reaches willitmerge, rejecting or escaping special shell characters. Consider replacing willitmerge with alternative tools that do not use unsafe command execution or that have verified secure coding practices. Monitoring and logging of CI/CD activities should be enhanced to detect anomalous command executions or unexpected merge behaviors. Engage with the vendor or open source maintainers to track patch releases and apply updates promptly. For critical environments, implement strict access controls around repository management and pull request approvals to reduce the risk of malicious input reaching willitmerge. Finally, educate developers and DevOps teams about the risks of command injection vulnerabilities and secure coding practices.