Critical Vulnerability Information Vulnerability Overview Vulnerability Type: Argument Injection vulnerability Affected Package: @conventional-changelog/git-client Affected Versions: = 2.0.0 Severity: Medium (5.3/10) Vulnerability Description An argument injection vulnerability exists in the API of the package. This API allows passing additional parameters to the command, but does not properly validate or restrict user input, enabling attackers to exploit the command-line option to overwrite arbitrary files. Exploitation Context Affected API: Root Cause: Lack of input validation or restriction; improper use of double dashes ( ) to terminate command-line options. Impact Scope: Can overwrite any file on the disk, including sensitive files like or critical system configuration files in . Exploitation Method 1. Install or an earlier version. 2. Prepare a Git directory as the source. 3. Create the following proof-of-concept script: 4. Observe the newly created file on the disk. Impact Although the vulnerability is limited to writing files based on results, it still allows specifying and overwriting any file on the disk, including sensitive files and critical system configuration files. The risk is significantly higher if the application runs with elevated privileges (e.g., as root). Recommended Actions Do not ignore this vulnerability; patch the insecure design flaw and adopt hardened secure coding practices. Add security disclaimers to the library documentation.