CVE-2025-59046: The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branc
criticalvulnerability
security
Summary
The npm package `interactive-git-checkout` (a command-line tool for switching between git branches) has a command injection vulnerability (a flaw where attackers can run malicious commands by inserting code into input fields) in versions up to 1.1.4 because it doesn't properly check the branch name before passing it to the git command.
Solution / Mitigation
Commit 8dd832dd302af287a61611f4f85e157cd1c6bb41 fixes the issue. Users should update to a version that includes this commit.
Vulnerability Details
CVSS Score
9.8(critical)
EPSS (30-day exploit probability)
EPSS: 0.3%
Classification
Attack SophisticationTrivial
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-59046
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 95%