12 matches found
CVE-2026-6951
CVE-2026-6951 affects the Node.js package “simple-git.” The vulnerability lies in versions before 3.36.0, due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input reaches the options argument, an attacker could achieve remote c...
GHSA-R275-FR43-PM7Q simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
Summary The blockUnsafeOperationsPlugin in simple-git fails to block git protocol override arguments when the config key is passed in uppercase or mixed case. An attacker who controls arguments passed to git operations can enable the ext:: protocol by passing -c PROTOCOL.ALLOW=always, which...
org.webjars.npm:g-status (=2.0.2), org.webjars.npm:graphql-toolkit__git-loader (=0.7.5) potentially affected by CVE-2022-25912 +1 more via org.webjars.npm:simple-git (>=1.129.0 <=1.132.0)
org.webjars.npm:simple-git MAVEN version =1.129.0, =1.132.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:simple-git and may be impacted: - org.webjars.npm:g-status =2.0.2 - org.webjars.npm:graphql-toolkitgit-loader =0.7.5 Source cves...
3extensions (=1.0.1), @51jbs/incremental-coverage-plugin (=1.0.5) +534 more potentially affected by CVE-2022-25912 +1 more via simple-git (>=3.0.3 <=3.35.2)
simple-git NPM version =3.0.3, =1.0.1, =1.0.1, =0.0.0-ad-beta.1, =0.0.0-aj-beta.3, =23.0.0, =35.0.0, =1.4.0, =0.1.5-alpha.0, =1.0.2, =0.0.0-aj-beta.221, =8.7.2, =8.11.4 and more Source cves: CVE-2022-25912, CVE-2026-6951 Source advisory: SNYK:JS-SIMPLEGIT-15456078...
Remote Code Execution (RCE)
Overview simple-git is a light weight interface for running git commands in any node.js application. Affected versions of this package are vulnerable to Remote Code Execution RCE due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrust...
Security Bulletin: IBM Storage Ceph is vulnerable to OS Command Injection in Grafana (CVE-2022-25912, CVE-2022-25860, CVE-2022-25908)
Summary Simple Git is used by IBM Storage Ceph in Grafana for Metrics. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Ceph. CVE-2022-25912, CVE-2022-25860, CVE-2022-25908. Vulnerability Details CVEID:CVE-2022-25912 DESCRIPTION: Node.js simple-git module cou...
Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities
Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information CVE-2024-28849,...
GHSA-9W5J-4MWV-2WJ8 Remote code execution in simple-git
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution RCE via the clone, pull, push and listRemote methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912...
Input validation
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution RCE via the clone, pull, push and listRemote methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912...
CVE-2022-25860
The CVE-2022-25860 entry concerns the simple-git package. Versions before 3.16.0 are vulnerable to Remote Code Execution via clone(), pull(), push(), and listRemote() due to improper input sanitization, tied to an incomplete fix of CVE-2022-25912. CERT/OSV/NVD/IBM/Red Hat references confirm the i...
@51jbs/incremental-coverage-plugin (=1.0.5), @51jbs/spec-plugin (=2.0.0) +98 more potentially affected by CVE-2022-25860 +1 more via simple-git (>=3.0.3 <=3.15.1)
simple-git NPM version =3.0.3, =0.0.0-ad-beta.1, =0.0.0-aj-beta.3, =5.26.6, =14.24.1, =2.0.0, =0.0.64, =1.0.1-beta.0, =2.2.0, =2.3.2 and more Source cves: CVE-2022-25860, CVE-2022-25912 Source advisory: SNYK:JS-SIMPLEGIT-3177391...
CVE-2022-25912
CVE-2022-25912 affects the Node.js simple-git module prior to 3.16.0, with remote code execution via the ext transport protocol during clone() (incomplete fix of CVE-2022-24066). Several connected sources corroborate RCE via clone()/pull()/push()/listRemote() paths when input is crafted, with exp...