Search criteria
14 vulnerabilities found for simple-git by simple-git_project
CVE-2026-6951 (GCVE-0-2026-6951)
Vulnerability from nvd – Published: 2026-04-25 05:00 – Updated: 2026-04-25 10:50
VLAI?
Summary
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
Severity ?
9.8 (Critical)
CWE
- CWE-94 - Remote Code Execution (RCE)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
0 , < 3.36.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6951",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-25T10:50:10.217564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T10:50:22.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.36.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kuycheu Kung"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Remote Code Execution (RCE)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T05:00:05.257Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078"
},
{
"url": "https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6"
},
{
"url": "https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2026-6951",
"datePublished": "2026-04-25T05:00:05.257Z",
"dateReserved": "2026-04-24T07:25:39.128Z",
"dateUpdated": "2026-04-25T10:50:22.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28291 (GCVE-0-2026-28291)
Vulnerability from nvd – Published: 2026-04-13 17:15 – Updated: 2026-04-14 16:30
VLAI?
Title
simple-git has Command Execution via Option-Parsing Bypass
Summary
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
Severity ?
8.1 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/steveukx/git-js/security/advis… | x_refsource_CONFIRM |
| https://github.com/steveukx/git-js/commit/1effd8e… | x_refsource_MISC |
| https://github.com/steveukx/git-js/blob/789c13eba… | x_refsource_MISC |
| https://github.com/steveukx/git-js/releases/tag/s… | x_refsource_MISC |
| https://www.cve.org/CVERecord?id=CVE-2022-25860 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28291",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T13:53:36.631739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:53:41.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-js",
"vendor": "steveukx",
"versions": [
{
"status": "affected",
"version": "\u003c 3.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git\u0027s flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git\u0027s option parsing behavior. This issue has been fixed in version 3.32.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:30:34.266Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"
},
{
"name": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d"
},
{
"name": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26"
},
{
"name": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0"
},
{
"name": "https://www.cve.org/CVERecord?id=CVE-2022-25860",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25860"
}
],
"source": {
"advisory": "GHSA-jcxm-m3jx-f287",
"discovery": "UNKNOWN"
},
"title": "simple-git has Command Execution via Option-Parsing Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28291",
"datePublished": "2026-04-13T17:15:14.594Z",
"dateReserved": "2026-02-26T01:52:58.735Z",
"dateUpdated": "2026-04-14T16:30:34.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28292 (GCVE-0-2026-28292)
Vulnerability from nvd – Published: 2026-03-10 18:34 – Updated: 2026-04-14 15:30
VLAI?
Title
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key that enables RCE
Summary
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
Severity ?
9.8 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/steveukx/git-js/security/advis… | x_refsource_CONFIRM |
| https://github.com/steveukx/git-js/commit/f704208… | x_refsource_MISC |
| https://www.codeant.ai/security-research/security… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| steveukx | simple-git |
Affected:
>= 3.15.0, < 3.32.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28292",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:30:35.861085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:30:40.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "steveukx",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.15.0, \u003c 3.32.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T17:35:45.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q"
},
{
"name": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"
},
{
"name": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292"
}
],
"source": {
"advisory": "GHSA-r275-fr43-pm7q",
"discovery": "UNKNOWN"
},
"title": "simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key that enables RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28292",
"datePublished": "2026-03-10T18:34:21.717Z",
"dateReserved": "2026-02-26T01:52:58.736Z",
"dateUpdated": "2026-04-14T15:30:40.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25860 (GCVE-0-2022-25860)
Vulnerability from nvd – Published: 2023-01-24 05:00 – Updated: 2025-04-01 15:29
VLAI?
Summary
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization.
This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
Severity ?
CWE
- CWE-94 - Remote Code Execution (RCE)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
0 , < 3.16.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25860",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T15:29:00.748383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T15:29:18.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Santos Gallegos"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization.\rThis vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).\r\r"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Remote Code Execution (RCE)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-24T05:00:02.399Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391"
},
{
"url": "https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13"
},
{
"url": "https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25860",
"datePublished": "2023-01-24T05:00:02.399Z",
"dateReserved": "2022-02-24T11:58:25.171Z",
"dateUpdated": "2025-04-01T15:29:18.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25912 (GCVE-0-2022-25912)
Vulnerability from nvd – Published: 2022-12-12 01:49 – Updated: 2025-04-22 20:15
VLAI?
Title
Remote Code Execution (RCE)
Summary
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Severity ?
CWE
- Remote Code Execution (RCE)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
unspecified , < 3.15.0
(custom)
|
Date Public ?
2022-12-06 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25912",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T20:14:53.034027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T20:15:14.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sam Wheating"
}
],
"datePublic": "2022-12-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.7,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution (RCE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-06T00:00:00.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532"
},
{
"url": "https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504"
},
{
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0"
},
{
"url": "https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols"
}
],
"title": "Remote Code Execution (RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25912",
"datePublished": "2022-12-12T01:49:10.008Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2025-04-22T20:15:14.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24066 (GCVE-0-2022-24066)
Vulnerability from nvd – Published: 2022-04-01 20:00 – Updated: 2024-09-16 21:08
VLAI?
Title
Command Injection
Summary
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Severity ?
8.1 (High)
CWE
- Command Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820 | x_refsource_MISC |
| https://gist.github.com/lirantal/a930d902294b8335… | x_refsource_MISC |
| https://github.com/steveukx/git-js/commit/2040de6… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
unspecified , < 3.5.0
(custom)
|
Date Public ?
2022-04-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/lirantal/a930d902294b833514e821102316426b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Liran Tal"
}
],
"datePublic": "2022-04-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn\u0027t cover."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T20:00:16.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/lirantal/a930d902294b833514e821102316426b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5"
}
],
"title": "Command Injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-04-01T20:00:01.776777Z",
"ID": "CVE-2022-24066",
"STATE": "PUBLIC",
"TITLE": "Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "simple-git",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.5.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Liran Tal"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn\u0027t cover."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820"
},
{
"name": "https://gist.github.com/lirantal/a930d902294b833514e821102316426b",
"refsource": "MISC",
"url": "https://gist.github.com/lirantal/a930d902294b833514e821102316426b"
},
{
"name": "https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5",
"refsource": "MISC",
"url": "https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-24066",
"datePublished": "2022-04-01T20:00:16.930Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:08:34.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24433 (GCVE-0-2022-24433)
Vulnerability from nvd – Published: 2022-03-11 16:15 – Updated: 2024-09-16 21:57
VLAI?
Title
Command Injection
Summary
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Severity ?
8.1 (High)
CWE
- Command Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245 | x_refsource_MISC |
| https://github.com/steveukx/git-js/pull/767 | x_refsource_MISC |
| https://github.com/steveukx/git-js/releases/tag/s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
unspecified , < 3.3.0
(custom)
|
Date Public ?
2022-03-11 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/pull/767"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"datePublic": "2022-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T16:15:14.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/pull/767"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0"
}
],
"title": "Command Injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-03-11T16:12:03.865726Z",
"ID": "CVE-2022-24433",
"STATE": "PUBLIC",
"TITLE": "Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "simple-git",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245"
},
{
"name": "https://github.com/steveukx/git-js/pull/767",
"refsource": "MISC",
"url": "https://github.com/steveukx/git-js/pull/767"
},
{
"name": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0",
"refsource": "MISC",
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-24433",
"datePublished": "2022-03-11T16:15:14.245Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:57:22.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-6951 (GCVE-0-2026-6951)
Vulnerability from cvelistv5 – Published: 2026-04-25 05:00 – Updated: 2026-04-25 10:50
VLAI?
Summary
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
Severity ?
9.8 (Critical)
CWE
- CWE-94 - Remote Code Execution (RCE)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
0 , < 3.36.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6951",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-25T10:50:10.217564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T10:50:22.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.36.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kuycheu Kung"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Remote Code Execution (RCE)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T05:00:05.257Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078"
},
{
"url": "https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6"
},
{
"url": "https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2026-6951",
"datePublished": "2026-04-25T05:00:05.257Z",
"dateReserved": "2026-04-24T07:25:39.128Z",
"dateUpdated": "2026-04-25T10:50:22.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28291 (GCVE-0-2026-28291)
Vulnerability from cvelistv5 – Published: 2026-04-13 17:15 – Updated: 2026-04-14 16:30
VLAI?
Title
simple-git has Command Execution via Option-Parsing Bypass
Summary
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
Severity ?
8.1 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/steveukx/git-js/security/advis… | x_refsource_CONFIRM |
| https://github.com/steveukx/git-js/commit/1effd8e… | x_refsource_MISC |
| https://github.com/steveukx/git-js/blob/789c13eba… | x_refsource_MISC |
| https://github.com/steveukx/git-js/releases/tag/s… | x_refsource_MISC |
| https://www.cve.org/CVERecord?id=CVE-2022-25860 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28291",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T13:53:36.631739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:53:41.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-js",
"vendor": "steveukx",
"versions": [
{
"status": "affected",
"version": "\u003c 3.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git\u0027s flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git\u0027s option parsing behavior. This issue has been fixed in version 3.32.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:30:34.266Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"
},
{
"name": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d"
},
{
"name": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26"
},
{
"name": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0"
},
{
"name": "https://www.cve.org/CVERecord?id=CVE-2022-25860",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25860"
}
],
"source": {
"advisory": "GHSA-jcxm-m3jx-f287",
"discovery": "UNKNOWN"
},
"title": "simple-git has Command Execution via Option-Parsing Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28291",
"datePublished": "2026-04-13T17:15:14.594Z",
"dateReserved": "2026-02-26T01:52:58.735Z",
"dateUpdated": "2026-04-14T16:30:34.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28292 (GCVE-0-2026-28292)
Vulnerability from cvelistv5 – Published: 2026-03-10 18:34 – Updated: 2026-04-14 15:30
VLAI?
Title
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key that enables RCE
Summary
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
Severity ?
9.8 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/steveukx/git-js/security/advis… | x_refsource_CONFIRM |
| https://github.com/steveukx/git-js/commit/f704208… | x_refsource_MISC |
| https://www.codeant.ai/security-research/security… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| steveukx | simple-git |
Affected:
>= 3.15.0, < 3.32.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28292",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:30:35.861085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:30:40.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "steveukx",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.15.0, \u003c 3.32.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T17:35:45.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q"
},
{
"name": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"
},
{
"name": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292"
}
],
"source": {
"advisory": "GHSA-r275-fr43-pm7q",
"discovery": "UNKNOWN"
},
"title": "simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key that enables RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28292",
"datePublished": "2026-03-10T18:34:21.717Z",
"dateReserved": "2026-02-26T01:52:58.736Z",
"dateUpdated": "2026-04-14T15:30:40.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25860 (GCVE-0-2022-25860)
Vulnerability from cvelistv5 – Published: 2023-01-24 05:00 – Updated: 2025-04-01 15:29
VLAI?
Summary
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization.
This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
Severity ?
CWE
- CWE-94 - Remote Code Execution (RCE)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
0 , < 3.16.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25860",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T15:29:00.748383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T15:29:18.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Santos Gallegos"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization.\rThis vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).\r\r"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Remote Code Execution (RCE)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-24T05:00:02.399Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391"
},
{
"url": "https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13"
},
{
"url": "https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25860",
"datePublished": "2023-01-24T05:00:02.399Z",
"dateReserved": "2022-02-24T11:58:25.171Z",
"dateUpdated": "2025-04-01T15:29:18.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25912 (GCVE-0-2022-25912)
Vulnerability from cvelistv5 – Published: 2022-12-12 01:49 – Updated: 2025-04-22 20:15
VLAI?
Title
Remote Code Execution (RCE)
Summary
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Severity ?
CWE
- Remote Code Execution (RCE)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
unspecified , < 3.15.0
(custom)
|
Date Public ?
2022-12-06 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25912",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T20:14:53.034027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T20:15:14.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sam Wheating"
}
],
"datePublic": "2022-12-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.7,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution (RCE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-06T00:00:00.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532"
},
{
"url": "https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504"
},
{
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0"
},
{
"url": "https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols"
}
],
"title": "Remote Code Execution (RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25912",
"datePublished": "2022-12-12T01:49:10.008Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2025-04-22T20:15:14.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24066 (GCVE-0-2022-24066)
Vulnerability from cvelistv5 – Published: 2022-04-01 20:00 – Updated: 2024-09-16 21:08
VLAI?
Title
Command Injection
Summary
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Severity ?
8.1 (High)
CWE
- Command Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820 | x_refsource_MISC |
| https://gist.github.com/lirantal/a930d902294b8335… | x_refsource_MISC |
| https://github.com/steveukx/git-js/commit/2040de6… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
unspecified , < 3.5.0
(custom)
|
Date Public ?
2022-04-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/lirantal/a930d902294b833514e821102316426b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Liran Tal"
}
],
"datePublic": "2022-04-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn\u0027t cover."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T20:00:16.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/lirantal/a930d902294b833514e821102316426b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5"
}
],
"title": "Command Injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-04-01T20:00:01.776777Z",
"ID": "CVE-2022-24066",
"STATE": "PUBLIC",
"TITLE": "Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "simple-git",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.5.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Liran Tal"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn\u0027t cover."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820"
},
{
"name": "https://gist.github.com/lirantal/a930d902294b833514e821102316426b",
"refsource": "MISC",
"url": "https://gist.github.com/lirantal/a930d902294b833514e821102316426b"
},
{
"name": "https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5",
"refsource": "MISC",
"url": "https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-24066",
"datePublished": "2022-04-01T20:00:16.930Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:08:34.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24433 (GCVE-0-2022-24433)
Vulnerability from cvelistv5 – Published: 2022-03-11 16:15 – Updated: 2024-09-16 21:57
VLAI?
Title
Command Injection
Summary
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Severity ?
8.1 (High)
CWE
- Command Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245 | x_refsource_MISC |
| https://github.com/steveukx/git-js/pull/767 | x_refsource_MISC |
| https://github.com/steveukx/git-js/releases/tag/s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-git |
Affected:
unspecified , < 3.3.0
(custom)
|
Date Public ?
2022-03-11 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/pull/767"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "simple-git",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"datePublic": "2022-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T16:15:14.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/pull/767"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0"
}
],
"title": "Command Injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-03-11T16:12:03.865726Z",
"ID": "CVE-2022-24433",
"STATE": "PUBLIC",
"TITLE": "Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "simple-git",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245"
},
{
"name": "https://github.com/steveukx/git-js/pull/767",
"refsource": "MISC",
"url": "https://github.com/steveukx/git-js/pull/767"
},
{
"name": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0",
"refsource": "MISC",
"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-24433",
"datePublished": "2022-03-11T16:15:14.245Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:57:22.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}