Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/async-git@1.1.0
purl pkg:npm/async-git@1.1.0
Next non-vulnerable version 1.13.2
Latest non-vulnerable version 1.13.2
Risk 4.5
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-89ub-wbsn-ayfa
Aliases:
CVE-2020-28490
GHSA-6qpr-9mc5-7gch
Argument Injection or Modification The package async-git are vulnerable to Command Injection via shell meta-characters (back-ticks). For example, ``git.reset('a`touch HACKED`b')``
1.13.2
Affected by 0 other vulnerabilities.
VCID-zhnp-1cu9-qqgy
Aliases:
CVE-2021-3190
GHSA-6c3f-p5wp-34mh
The async-git package for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by `git.reset` and `git.tag`.
1.13.2
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T20:45:09.029046+00:00 GitLab Importer Affected by VCID-89ub-wbsn-ayfa https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/async-git/CVE-2020-28490.yml 38.6.0
2026-06-04T20:43:45.039772+00:00 GitLab Importer Affected by VCID-zhnp-1cu9-qqgy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/async-git/CVE-2021-3190.yml 38.6.0