[GHSA-28qq-5f47-r5x2] gemini-mcp-tool execAsync Command Injection Remote Code...#7859
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the unreviewed advisory record for GHSA-28qq-5f47-r5x2 (CVE-2026-0755) to include package impact metadata for the npm ecosystem.
Changes:
- Added a human-readable
summaryfor the advisory. - Populated
affectedwith thegemini-mcp-toolnpm package and an introduced/fixed range (1.1.2 → 1.1.6). - Added a
PACKAGEreference URL to the upstream GitHub repository.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
Bot
changed the base branch from
main
to
jamubc/advisory-improvement-7859
|
Hi @jamubc, thank you for alerting my teammates and me to the presence of GHSA-28qq-5f47-r5x2. GHSA-28qq-5f47-r5x2 refers to the same vulnerability as the repo advisory GHSA-4h5r-5jm8-jxjm. You'll get credit on GHSA-28qq-5f47-r5x2 for informing us of the duplicate, and the information you provided will appear in the global advisory version of GHSA-4h5r-5jm8-jxjm. |
advisory-database
Bot
merged commit 89da0f5
into
jamubc/advisory-improvement-7859
|
Hi @jamubc! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Adding npm package info. Fix shipped in v1.1.6. Repo advisory GHSA-4h5r-5jm8-jxjm is published. Affected versions >= 1.1.2, < 1.1.6. Patched in 1.1.6.