CVE-2022-24433
published 2022-03-11CVE-2022-24433: The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.50%
87.7th percentile
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-git_project | simple-git | < 3.5.0 | 3.5.0 |
| simple-git_project | simple-git | < 3.3.0 | 3.3.0 |
| simple-git_project | simple-git | >= 0 < 3.3.0 | 3.3.0 |
| simple-git_project | simple-git | >= 0 < 3.5.0 | 3.5.0 |
| simple-git_project | simple-git | >= 0 < 3.32.0 | 3.32.0 |
| simple-git_project | simple-git | >= unspecified < 3.15.0 | 3.15.0 |
| simple-git_project | simple-git | >= unspecified < 3.3.0 | 3.3.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
simple-git Affected by Command Execution via Option-Parsing Bypass
ghsa·2026-04-13·CVSS 9.8
CVE-2026-28291 [CRITICAL] CWE-78 simple-git Affected by Command Execution via Option-Parsing Bypass
simple-git Affected by Command Execution via Option-Parsing Bypass
### Summary
simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is *likely* to affect all versions prior to and including 3.28.0.
### Detail
This vulnerability was introduced by an incorrect patch for CVE-2022-25860.
It was reproduced in the following environment:
```
WSL Docker
node: v22.19.0
git: git versi
OSV
Command injection in simple-git
osv·2022-04-02·CVSS 9.8
CVE-2022-24066 [CRITICAL] Command injection in simple-git
Command injection in simple-git
`simple-git` (maintained as [git-js](https://github.com/steveukx/git-js) named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in [email protected].
GHSA
Command injection in simple-git
ghsa·2022-04-02·CVSS 9.8
CVE-2022-24066 [CRITICAL] CWE-88 Command injection in simple-git
Command injection in simple-git
`simple-git` (maintained as [git-js](https://github.com/steveukx/git-js) named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in [email protected].
GHSA
Command injection in simple-git
ghsa·2022-03-12
CVE-2022-24433 [HIGH] CWE-74 Command injection in simple-git
Command injection in simple-git
The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.
OSV
Command injection in simple-git
osv·2022-03-12
CVE-2022-24433 [HIGH] Command injection in simple-git
Command injection in simple-git
The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/steveukx/git-js/pull/767https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199https://github.com/steveukx/git-js/pull/767https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199
2022-03-11
Published