vs.xplorer interactive view →

Git Graph

mhutchie.git-graph · published by mhutchie verified

CRITICAL

4 findings detected for mhutchie.git-graph — 1 critical, 3 medium.

1 CRITICAL3 MEDIUM

versions scanned

sources tracked

14.4M

installs

1.30.0

latest version

2026-05-26 17:26 UTC

last scanned

Source coverage

open-vsx v1.30.0 verified
marketplace v1.30.0 verified

Findings

CRITICAL data-exfiltration Host data collection + outbound POST in same region

out/askpass/askpassMain.js :18

`{file_path}` reads host data (env vars, dotfiles, home paths) within {proximity} characters of an outbound POST or PUT. This is the shape of an exfiltration handler.

      process.exit(1);
  }
  function main(argv) {
      if (argv.length !== 5)
          return fatal('Wrong number of arguments');
      if (!process.env['VSCODE_GIT_GRAPH_ASKPASS_HANDLE'])
          return fatal('Missing handle');
      if (!process.env['VSCODE_GIT_GRAPH_ASKPASS_PIPE'])
          return fatal('Missing pipe');
      const output = process.env['VSCODE_GIT_GRAPH_ASKPASS_PIPE'];
▶     const socketPath = process.env['VSCODE_GIT_GRAPH_ASKPASS_HANDLE'];
      const req = http.request({ socketPath, path: '/', method: 'POST' }, res => {
          if (res.statusCode !== 200)
              return fatal('Bad status code: ' + res.statusCode);
          let resData = '';
          res.setEncoding('utf8');
          res.on('data', (d) => resData += d);
          res.on('end', () => {
              try {
                  let response = JSON.parse(resData);
                  fs.writeFileSync(output, response + '\n');

Affected versions

marketplace 1.12.1, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0

open-vsx 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0

MEDIUM child-process-exec Extension spawns subprocesses via child_process

out/dataSource.js :585

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

          });
      }
      runGitCommand(args, repo) {
          return this.spawnGit(args, repo, () => null).catch((errorMessage) => errorMessage);
      }
      spawnGit(args, repo, resolveValue) {
          return new Promise((resolve, reject) => {
              if (this.gitExecutable === null)
                  return reject(utils_1.UNABLE_TO_FIND_GIT_MSG);
              let stdout = '', stderr = '', err = false;
▶             const cmd = cp.spawn(this.gitExecutable.path, args, {
                  cwd: repo,
                  env: Object.assign({}, process.env, this.askpassEnv)
              });
              cmd.stdout.on('data', (d) => { stdout += d; });
              cmd.stderr.on('data', (d) => { stderr += d; });
              cmd.on('error', (e) => {
                  reject(getErrorMessage(e, stdout, stderr));
                  err = true;
              });
              cmd.on('exit', (code) => {

Affected versions

marketplace 1.12.1, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0

open-vsx 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0

MEDIUM child-process-exec Extension spawns subprocesses via child_process

out/utils.js :180

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

              case 'win32':
                  return findGitOnWin32();
              default:
                  return getGitExecutable('git');
          }
      });
  }
  exports.findGit = findGit;
  function findGitOnDarwin() {
      return new Promise((resolve, reject) => {
▶         cp.exec('which git', (err, stdout) => {
              if (err)
                  return reject();
              const path = stdout.trim();
              if (path !== '/usr/bin/git') {
                  getGitExecutable(path).then((exec) => resolve(exec), () => reject());
              }
              else {
                  cp.exec('xcode-select -p', (err) => {
                      if (err && err.code === 2) {
                          reject();

Affected versions

marketplace 1.12.1, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0

open-vsx 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0

MEDIUM wildcard-activation Extension activates on every VSCode launch

package.json

`package.json` declares `activationEvents: ['*']`, so the extension runs on every VSCode launch. Combined with any CRITICAL finding this widens the attack window from on-demand to always-on.

activationEvents: ['*']

Affected versions

marketplace 1.12.1, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0

open-vsx 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0

Embed this verdict

[![vsxplorer](https://vsxplorer.veryserious.systems/badge/mhutchie.git-graph.svg)](https://vsxplorer.veryserious.systems/report/mhutchie.git-graph)