CVE-2022-24066

The CVE-2022-24066 issue affects the simple-git package prior to version 3.5.0, where command injection is possible due to an incomplete fix of CVE-2022-24433 and exposure via --upload-pack during fetch and an analogous path for git clone. Affected software: simple-git (Node.js). Root cause: inco...

CVE-2022-25912

CVE-2022-25912 affects the Node.js simple-git module prior to 3.16.0, with remote code execution via the ext transport protocol during clone() (incomplete fix of CVE-2022-24066). Several connected sources corroborate RCE via clone()/pull()/push()/listRemote() paths when input is crafted, with exp...

CVE-2022-24433

CVE-2022-24433 affects the Node.js module simple-git (pre-3.5.0) and allows command injection via argument injection in the fetch path. The vulnerability arises because remote/branch values passed to the git fetch subcommand can be manipulated to execute arbitrary commands; the issue also concern...

CVE-2022-25860

The CVE-2022-25860 entry concerns the simple-git package. Versions before 3.16.0 are vulnerable to Remote Code Execution via clone(), pull(), push(), and listRemote() due to improper input sanitization, tied to an incomplete fix of CVE-2022-25912. CERT/OSV/NVD/IBM/Red Hat references confirm the i...

CVE-2026-28291

CVE-2026-28291 affects the Node.js package simple-git up to version 3.31.1, where an attacker can execute arbitrary commands by abusing Git option parsing. The flaw stems from an incomplete fix for CVE-2022-25860: Git’s flexible option parsing allows combinations such as -vu, -4u, -nu to bypass t...