cbcvebase.
CVE-2022-25860
published 2023-01-26

CVE-2022-25860: Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.71%
84.1th percentile
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

Affected

6 ranges
VendorProductVersion rangeFixed in
simple-git_projectsimple-git< 3.32.03.32.0
simple-git_projectsimple-git< 3.16.03.16.0
simple-git_projectsimple-git>= 0 < 3.16.03.16.0
simple-git_projectsimple-git>= 0 < 3.32.03.32.0
simple-git_projectsimple-git>= 3.15.0 < 3.32.23.32.2
steveukxgit-js< 3.32.03.32.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for injection of configuration options that re-enable the ext:: protocol in Git commands, which can be used to bypass earlier mitigations in simple-git
  • The blocklist bypass for CVE-2022-25860 uses Git option variants such as -vu, -4u, -nu to circumvent regex-based blocklists; monitor for these option patterns in Git command invocations from Node.js processes
  • Flag simple-git library versions 3.15.0 through 3.32.2 in Node.js applications as vulnerable to RCE via bypass of CVE-2022-25860 and CVE-2022-25912 fixes
  • Alert on simple-git versions up to and including 3.31.1 for the option-parsing bypass variant; dangerous options -u and --upload-pack being passed through should be flagged
  • ·A complete blocklist-based mitigation for the option-parsing bypass is considered infeasible by researchers, as the number of valid Git option variants is virtually infinite; detection rules based solely on known bad strings (-u, --upload-pack) will have coverage gaps
  • ·The fix version differs between the two related bypass issues: the RCE-via-ext:: bypass is fixed in simple-git 3.23.0, while the option-parsing bypass variant is fixed in 3.32.0; ensure the correct target version is used when writing version-based detection or remediation rules
  • ·Several Red Hat packages are marked 'Will not fix' for this CVE (e.g., openshift-logging components, kibana6-rhel8), meaning vulnerable versions may remain deployed in those environments indefinitely

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.