cbcvebase.
CVE-2022-25912
published 2022-12-06

CVE-2022-25912: The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via…

PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.78%
84.6th percentile
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).

Affected

11 ranges
VendorProductVersion rangeFixed in
simple-git_projectsimple-git< 3.36.03.36.0
simple-git_projectsimple-git< 3.15.03.15.0
simple-git_projectsimple-git< 3.16.03.16.0
simple-git_projectsimple-git>= 0 < 3.15.03.15.0
simple-git_projectsimple-git>= 0 < 3.16.03.16.0
simple-git_projectsimple-git>= 0 < 3.36.03.36.0
simple-git_projectsimple-git>= 0 < 3.32.03.32.0
simple-git_projectsimple-git>= 3.15.0 < 3.32.23.32.2
simple-git_projectsimple-git>= 3.15.0 < 3.36.03.36.0
simple-git_projectsimple-git>= 3.15.0 < 3.32.33.32.3
steveukxgit-js< 3.32.03.32.0

Detection & IOCsextracted from sources · hover to see the quote

otherext::
commandprotocol.ext.allow=always
  • Monitor for Git commands that include the ext:: transport protocol in repository URLs, which is the primary exploitation vector for this RCE vulnerability.
  • Detect attempts to inject Git configuration options that re-enable the ext:: protocol, specifically the argument --config (long form) as a bypass of the -c option block.
  • Alert on any Git invocation containing 'protocol.ext.allow=always' in arguments or configuration, as this is the specific config injection used to re-enable the dangerous ext:: protocol.
  • ·Exploitation requires untrusted input to reach simple-git operation arguments (e.g., clone/fetch); applications that sanitize or do not expose these arguments to user input are not exploitable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.