CVE-2026-28292
published 2026-03-10CVE-2026-28292: `simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.30%
66.8th percentile
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-git_project | simple-git | >= 3.15.0 < 3.32.2 | 3.32.2 |
| simple-git_project | simple-git | >= 3.15.0 < 3.32.3 | 3.32.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker injects configuration options that re-enable the Git ext:: protocol handler to execute arbitrary external commands through the Git client ↗
- →Vulnerable simple-git versions are 3.15.0 through 3.32.2; monitor for use of these versions in Node.js applications accepting untrusted repository URLs or git arguments ↗
- ·This CVE bypasses prior fixes for CVE-2022-25860 and CVE-2022-25912; environments that applied only those earlier patches remain vulnerable if running simple-git 3.15.0–3.32.2 ↗
- ·The root cause is improper validation of user-supplied input when constructing Git commands; any simple-git operation (clone, fetch, etc.) that accepts untrusted input is a potential attack surface ↗
- ·Red Hat has marked several OpenShift Logging packages as 'Will not fix', meaning those deployments remain permanently exposed unless upstream simple-git is updated independently ↗
- ·No mitigation meeting Red Hat Product Security criteria is currently available for affected packages ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
vendor_redhat·2026-03-10·CVSS 8.1
CVE-2026-28292 [HIGH] CWE-76 simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
A vulnerability was discovered in the simple-git Node.js library. The issue is caused by improper validation of user-supplied input when constructing Git commands. An attacker able to supply specially crafted repository URLs or arguments could exploit Git’s ext:: protocol handler to execute arbitrary commands on the underlying system.
This flaw bypasses earlier mitigations in
GHSA
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
ghsa·2026-03-10·CVSS 9.8
CVE-2026-28292 [CRITICAL] CWE-178 simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
### Summary
The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol
override arguments when the config key is passed in uppercase or mixed case.
An attacker who controls arguments passed to git operations can enable the
`ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an
arbitrary OS command on the host machine.
---
### Details
The `preventProtocolOverride` function in
`simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts` (line 24)
checks whether a `-c` argument configures `protocol.allow` using this regex:
```ts
if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {
return;
}
```
This regex is case-sensitive. Git treats config
OSV
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
osv·2026-03-10·CVSS 9.8
CVE-2026-28292 [CRITICAL] simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
### Summary
The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol
override arguments when the config key is passed in uppercase or mixed case.
An attacker who controls arguments passed to git operations can enable the
`ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an
arbitrary OS command on the host machine.
---
### Details
The `preventProtocolOverride` function in
`simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts` (line 24)
checks whether a `-c` argument configures `protocol.allow` using this regex:
```ts
if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {
return;
}
```
This regex is case-sensitive. Git treats config
No detection rules found.
No public exploits indexed.
https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7qhttps://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292https://access.redhat.com/security/cve/CVE-2026-28292https://bugzilla.redhat.com/show_bug.cgi?id=2446162https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28292.jsonhttps://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292
2026-03-10
Published