CVE-2022-24066
published 2022-04-01CVE-2022-24066: The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of…
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.07%
89.4th percentile
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-git_project | simple-git | < 3.36.0 | 3.36.0 |
| simple-git_project | simple-git | < 3.5.0 | 3.5.0 |
| simple-git_project | simple-git | < 3.15.0 | 3.15.0 |
| simple-git_project | simple-git | >= 0 < 3.15.0 | 3.15.0 |
| simple-git_project | simple-git | >= 0 < 3.5.0 | 3.5.0 |
| simple-git_project | simple-git | >= 0 < 3.32.0 | 3.32.0 |
| simple-git_project | simple-git | >= unspecified < 3.15.0 | 3.15.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
simple-git Affected by Command Execution via Option-Parsing Bypass
ghsa·2026-04-13·CVSS 9.8
CVE-2026-28291 [CRITICAL] CWE-78 simple-git Affected by Command Execution via Option-Parsing Bypass
simple-git Affected by Command Execution via Option-Parsing Bypass
### Summary
simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is *likely* to affect all versions prior to and including 3.28.0.
### Detail
This vulnerability was introduced by an incorrect patch for CVE-2022-25860.
It was reproduced in the following environment:
```
WSL Docker
node: v22.19.0
git: git versi
GHSA
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
ghsa·2022-12-06·CVSS 9.8
CVE-2022-25912 [CRITICAL] CWE-78 simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
OSV
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
osv·2022-12-06·CVSS 9.8
CVE-2022-25912 [CRITICAL] simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
OSV
Command injection in simple-git
osv·2022-04-02·CVSS 9.8
CVE-2022-24066 [CRITICAL] Command injection in simple-git
Command injection in simple-git
`simple-git` (maintained as [git-js](https://github.com/steveukx/git-js) named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in [email protected].
GHSA
Command injection in simple-git
ghsa·2022-04-02·CVSS 9.8
CVE-2022-24066 [CRITICAL] CWE-88 Command injection in simple-git
Command injection in simple-git
`simple-git` (maintained as [git-js](https://github.com/steveukx/git-js) named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in [email protected].
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gist.github.com/lirantal/a930d902294b833514e821102316426bhttps://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306https://gist.github.com/lirantal/a930d902294b833514e821102316426bhttps://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306
2022-04-01
Published