Description
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
Published: 2026-04-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution
Action: Immediate Patch
AI Analysis

Impact

simple-git allows the execution of arbitrary commands by manipulating Git options that bypass the plugin designed to block unsafe operations. The flaw lies in an incomplete expurgation of option strings, letting attackers craft variants such as -vu or -nu that slip past a regular expression blocklist. This constitutes an OS command injection weakness (CWE-78). The impact is that any code executing through simple-git can run arbitrary shell commands, potentially compromising the host system where the Node.js application runs.

Affected Systems

The vulnerability affects the simple-git library distributed by steveukx under the git-js project. Versions up to and including 3.31.1 are impacted, while version 3.32.0 and later contain the fix. Applications that rely on simple-git for remote Git interactions or local repository management are at risk if they use an affected version.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, reflecting that successful exploitation would provide full command execution. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no widespread known exploitation yet. Attackers would need the ability to influence or inject Git options into the simple-git call; this is typically possible when the application processes untrusted data that is passed to git commands.

Generated by OpenCVE AI on April 13, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade simple-git to version 3.32.0 or later.
  • If an upgrade is not yet feasible, remove or disable the unsafe operations plugin and ensure no user-supplied options reach Git commands.
  • Sanitize all Git options passed to simple-git, rejecting any that contain characters or patterns associated with unsafe operations.
  • Monitor application logs for unexpected command executions and audit code paths that invoke simple-git.

Generated by OpenCVE AI on April 13, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jcxm-m3jx-f287 simple-git Affected by Command Execution via Option-Parsing Bypass
History

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Steveukx
Steveukx git-js
Vendors & Products Steveukx
Steveukx git-js

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
Title simple-git has Command Execution via Option-Parsing Bypass
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Steveukx Git-js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T16:30:34.266Z

Reserved: 2026-02-26T01:52:58.735Z

Link: CVE-2026-28291

cve-icon Vulnrichment

Updated: 2026-04-14T13:53:28.645Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T18:16:28.760

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-28291

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T17:15:14Z

Links: CVE-2026-28291 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:50Z

Weaknesses