Simple-git Security Vulnerabilities and Issues — Simple-git CVE List

Simple-git ProjectSimple-git

7 matches found

CVE•added 2022/04/01 8:0 p.m.•133 views

CVE-2022-24066

The CVE-2022-24066 issue affects the simple-git package prior to version 3.5.0, where command injection is possible due to an incomplete fix of CVE-2022-24433 and exposure via --upload-pack during fetch and an analogous path for git clone. Affected software: simple-git (Node.js). Root cause: inco...

9.8CVSS9.2AI score0.04067EPSS

CVE•added 2022/12/12 1:49 a.m.•117 views

CVE-2022-25912

CVE-2022-25912 affects the Node.js simple-git module prior to 3.16.0, with remote code execution via the ext transport protocol during clone() (incomplete fix of CVE-2022-24066). Several connected sources corroborate RCE via clone()/pull()/push()/listRemote() paths when input is crafted, with exp...

9.8CVSS9.1AI score0.02784EPSS

CVE•added 2022/03/11 4:15 p.m.•110 views

CVE-2022-24433

CVE-2022-24433 affects the Node.js module simple-git (pre-3.5.0) and allows command injection via argument injection in the fetch path. The vulnerability arises because remote/branch values passed to the git fetch subcommand can be manipulated to execute arbitrary commands; the issue also concern...

9.8CVSS9.4AI score0.03499EPSS

CVE•added 2023/01/24 5:0 a.m.•104 views

CVE-2022-25860

The CVE-2022-25860 entry concerns the simple-git package. Versions before 3.16.0 are vulnerable to Remote Code Execution via clone(), pull(), push(), and listRemote() due to improper input sanitization, tied to an incomplete fix of CVE-2022-25912. CERT/OSV/NVD/IBM/Red Hat references confirm the i...

9.8CVSS9.7AI score0.02712EPSS

CVE•added 2026/04/25 5:0 a.m.•47 views

CVE-2026-6951

CVE-2026-6951 affects the Node.js package “simple-git.” The vulnerability lies in versions before 3.36.0, due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input reaches the options argument, an attacker could achieve remote c...

9.8CVSS6.5AI score0.01098EPSS

CVE•added 2026/03/10 6:34 p.m.•31 views

CVE-2026-28292

The CVE-2026-28292 entry concerns the Node.js package simple-git. Affected versions are 3.15.0 through 3.32.2 and the issue bypasses prior fixes from CVE-2022-25860 and CVE-2022-25912, enabling full remote code execution on the host. A fix is noted in version 3.23.0. No exploitation details or in...

9.8CVSS6.4AI score0.01272EPSS

CVE•added 2026/04/13 5:15 p.m.•14 views

CVE-2026-28291

CVE-2026-28291 affects the Node.js package simple-git up to version 3.31.1, where an attacker can execute arbitrary commands by abusing Git option parsing. The flaw stems from an incomplete fix for CVE-2022-25860: Git’s flexible option parsing allows combinations such as -vu, -4u, -nu to bypass t...

8.1CVSS7.4AI score0.00637EPSS