CVE-2025-66219CRITICAL 9.8EPSS p81.6%

CVE-2025-66219CVE-2025-66219

Description

willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS2.37% probability of exploitation · percentile 81.6% · 2026-06-19T12:03:05Z
Published2025-11-29
Last modified2025-12-19

Underlying weaknesses· 1

CWE-77

References

  1. https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197
  2. https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6
  3. https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-11148
CVE
CVE-2026-11572
CVE
CVE-2026-42563
CVE
CVE-2025-59046
CVE
CVE-2025-63706
CVE
CVE-2025-61492
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.