CVE-2022-25912
published 2022-12-06CVE-2022-25912: The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.78%
84.6th percentile
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-git_project | simple-git | < 3.36.0 | 3.36.0 |
| simple-git_project | simple-git | < 3.15.0 | 3.15.0 |
| simple-git_project | simple-git | < 3.16.0 | 3.16.0 |
| simple-git_project | simple-git | >= 0 < 3.15.0 | 3.15.0 |
| simple-git_project | simple-git | >= 0 < 3.16.0 | 3.16.0 |
| simple-git_project | simple-git | >= 0 < 3.36.0 | 3.36.0 |
| simple-git_project | simple-git | >= 0 < 3.32.0 | 3.32.0 |
| simple-git_project | simple-git | >= 3.15.0 < 3.32.2 | 3.32.2 |
| simple-git_project | simple-git | >= 3.15.0 < 3.36.0 | 3.36.0 |
| simple-git_project | simple-git | >= 3.15.0 < 3.32.3 | 3.32.3 |
| steveukx | git-js | < 3.32.0 | 3.32.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for Git commands that include the ext:: transport protocol in repository URLs, which is the primary exploitation vector for this RCE vulnerability. ↗
- →Detect attempts to inject Git configuration options that re-enable the ext:: protocol, specifically the argument --config (long form) as a bypass of the -c option block. ↗
- →Alert on any Git invocation containing 'protocol.ext.allow=always' in arguments or configuration, as this is the specific config injection used to re-enable the dangerous ext:: protocol. ↗
- ·Exploitation requires untrusted input to reach simple-git operation arguments (e.g., clone/fetch); applications that sanitize or do not expose these arguments to user input are not exploitable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
vendor_redhat·2026-03-10·CVSS 8.1
CVE-2026-28292 [HIGH] CWE-76 simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
A vulnerability was discovered in the simple-git Node.js library. The issue is caused by improper validation of user-supplied input when constructing Git commands. An attacker able to supply specially crafted repository URLs or arguments could exploit Git’s ext:: protocol handler to execute arbitrary commands on the underlying system.
This flaw bypasses earlier mitigations in
GHSA
simple-git is vulnerable to Remote Code Execution
ghsa·2026-04-25·CVSS 9.8
CVE-2026-6951 [CRITICAL] CWE-94 simple-git is vulnerable to Remote Code Execution
simple-git is vulnerable to Remote Code Execution
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
GHSA
simple-git Affected by Command Execution via Option-Parsing Bypass
ghsa·2026-04-13·CVSS 9.8
CVE-2026-28291 [CRITICAL] CWE-78 simple-git Affected by Command Execution via Option-Parsing Bypass
simple-git Affected by Command Execution via Option-Parsing Bypass
### Summary
simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is *likely* to affect all versions prior to and including 3.28.0.
### Detail
This vulnerability was introduced by an incorrect patch for CVE-2022-25860.
It was reproduced in the following environment:
```
WSL Docker
node: v22.19.0
git: git versi
GHSA
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
ghsa·2026-03-10·CVSS 9.8
CVE-2026-28292 [CRITICAL] CWE-178 simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
### Summary
The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol
override arguments when the config key is passed in uppercase or mixed case.
An attacker who controls arguments passed to git operations can enable the
`ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an
arbitrary OS command on the host machine.
---
### Details
The `preventProtocolOverride` function in
`simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts` (line 24)
checks whether a `-c` argument configures `protocol.allow` using this regex:
```ts
if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {
return;
}
```
This regex is case-sensitive. Git treats config
OSV
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
osv·2026-03-10·CVSS 9.8
CVE-2026-28292 [CRITICAL] simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
### Summary
The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol
override arguments when the config key is passed in uppercase or mixed case.
An attacker who controls arguments passed to git operations can enable the
`ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an
arbitrary OS command on the host machine.
---
### Details
The `preventProtocolOverride` function in
`simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts` (line 24)
checks whether a `-c` argument configures `protocol.allow` using this regex:
```ts
if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {
return;
}
```
This regex is case-sensitive. Git treats config
GHSA
Remote code execution in simple-git
ghsa·2023-01-26·CVSS 9.8
CVE-2022-25860 [CRITICAL] CWE-78 Remote code execution in simple-git
Remote code execution in simple-git
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
OSV
Remote code execution in simple-git
osv·2023-01-26·CVSS 9.8
CVE-2022-25860 [CRITICAL] Remote code execution in simple-git
Remote code execution in simple-git
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
GHSA
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
ghsa·2022-12-06·CVSS 9.8
CVE-2022-25912 [CRITICAL] CWE-78 simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
OSV
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
osv·2022-12-06·CVSS 9.8
CVE-2022-25912 [CRITICAL] simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
No detection rules found.
No public exploits indexed.
https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocolshttps://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocolshttps://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
2022-12-06
Published