CVE-2022-25860
published 2023-01-26CVE-2022-25860: Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.71%
84.1th percentile
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-git_project | simple-git | < 3.32.0 | 3.32.0 |
| simple-git_project | simple-git | < 3.16.0 | 3.16.0 |
| simple-git_project | simple-git | >= 0 < 3.16.0 | 3.16.0 |
| simple-git_project | simple-git | >= 0 < 3.32.0 | 3.32.0 |
| simple-git_project | simple-git | >= 3.15.0 < 3.32.2 | 3.32.2 |
| steveukx | git-js | < 3.32.0 | 3.32.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for injection of configuration options that re-enable the ext:: protocol in Git commands, which can be used to bypass earlier mitigations in simple-git ↗
- →The blocklist bypass for CVE-2022-25860 uses Git option variants such as -vu, -4u, -nu to circumvent regex-based blocklists; monitor for these option patterns in Git command invocations from Node.js processes ↗
- →Flag simple-git library versions 3.15.0 through 3.32.2 in Node.js applications as vulnerable to RCE via bypass of CVE-2022-25860 and CVE-2022-25912 fixes ↗
- →Alert on simple-git versions up to and including 3.31.1 for the option-parsing bypass variant; dangerous options -u and --upload-pack being passed through should be flagged ↗
- ·A complete blocklist-based mitigation for the option-parsing bypass is considered infeasible by researchers, as the number of valid Git option variants is virtually infinite; detection rules based solely on known bad strings (-u, --upload-pack) will have coverage gaps ↗
- ·The fix version differs between the two related bypass issues: the RCE-via-ext:: bypass is fixed in simple-git 3.23.0, while the option-parsing bypass variant is fixed in 3.32.0; ensure the correct target version is used when writing version-based detection or remediation rules ↗
- ·Several Red Hat packages are marked 'Will not fix' for this CVE (e.g., openshift-logging components, kibana6-rhel8), meaning vulnerable versions may remain deployed in those environments indefinitely ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
vendor_redhat·2026-03-10·CVSS 8.1
CVE-2026-28292 [HIGH] CWE-76 simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
A vulnerability was discovered in the simple-git Node.js library. The issue is caused by improper validation of user-supplied input when constructing Git commands. An attacker able to supply specially crafted repository URLs or arguments could exploit Git’s ext:: protocol handler to execute arbitrary commands on the underlying system.
This flaw bypasses earlier mitigations in
GHSA
simple-git Affected by Command Execution via Option-Parsing Bypass
ghsa·2026-04-13·CVSS 9.8
CVE-2026-28291 [CRITICAL] CWE-78 simple-git Affected by Command Execution via Option-Parsing Bypass
simple-git Affected by Command Execution via Option-Parsing Bypass
### Summary
simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is *likely* to affect all versions prior to and including 3.28.0.
### Detail
This vulnerability was introduced by an incorrect patch for CVE-2022-25860.
It was reproduced in the following environment:
```
WSL Docker
node: v22.19.0
git: git versi
GHSA
Remote code execution in simple-git
ghsa·2023-01-26·CVSS 9.8
CVE-2022-25860 [CRITICAL] CWE-78 Remote code execution in simple-git
Remote code execution in simple-git
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
OSV
Remote code execution in simple-git
osv·2023-01-26·CVSS 9.8
CVE-2022-25860 [CRITICAL] Remote code execution in simple-git
Remote code execution in simple-git
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
No detection rules found.
No public exploits indexed.
https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
2023-01-26
Published