CVE-2026-28291
published 2026-04-13CVE-2026-28291: simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option…
PriorityP352high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.65%
46.6th percentile
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-git_project | simple-git | < 3.32.0 | 3.32.0 |
| simple-git_project | simple-git | >= 0 < 3.32.0 | 3.32.0 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
simple-git: simple-git: Command Execution via Option-Parsing Bypass in simple-git
vendor_redhat·2026-04-13·CVSS 8.1
CVE-2026-28291 [HIGH] CWE-78 simple-git: simple-git: Command Execution via Option-Parsing Bypass in simple-git
simple-git: simple-git: Command Execution via Option-Parsing Bypass in simple-git
A flaw was found in simple-git, a JavaScript library for running native Git commands. An attacker could exploit this vulnerability by manipulating Git options, bypassing existing safety checks. This incomplete fix for a previous vulnerability allows for the execution of arbitrary commands, leading to potential system compromise.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: simple-git (Red Hat Build of Keycloak) - Affected
Package: grafana (Red Hat Enterprise Linux 8) - Affected
Package: grafana (Re
VulDB
steveukx git-js up to 3.31.x os command injection (GHSA-jcxm-m3jx-f287)
vuldb·2026-04-13·CVSS 8.1
CVE-2026-28291 [HIGH] steveukx git-js up to 3.31.x os command injection (GHSA-jcxm-m3jx-f287)
A vulnerability marked as critical has been reported in steveukx git-js up to 3.31.x. This issue affects some unknown processing. Performing a manipulation results in os command injection.
This vulnerability is reported as CVE-2026-28291. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
simple-git Affected by Command Execution via Option-Parsing Bypass
ghsa·2026-04-13·CVSS 9.8
CVE-2026-28291 [CRITICAL] CWE-78 simple-git Affected by Command Execution via Option-Parsing Bypass
simple-git Affected by Command Execution via Option-Parsing Bypass
### Summary
simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is *likely* to affect all versions prior to and including 3.28.0.
### Detail
This vulnerability was introduced by an incorrect patch for CVE-2022-25860.
It was reproduced in the following environment:
```
WSL Docker
node: v22.19.0
git: git versi
No detection rules found.
No public exploits indexed.
https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2dhttps://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287https://www.cve.org/CVERecord?id=CVE-2022-25860https://access.redhat.com/security/cve/CVE-2026-28291https://bugzilla.redhat.com/show_bug.cgi?id=2457930https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28291.json
2026-04-13
Published