Description
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
Published: 2026-03-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

simple-git, a Node.js library used to run git commands, contains a flaw that allows an attacker to bypass the blockUnsafeOperationsPlugin by exploiting a case‑insensitive protocol.allow configuration key. This bypass removes critical safety checks and enables the execution of arbitrary git operations, giving an attacker full remote code execution on the host system. The vulnerability also compromises previous patches for CVE-2022-25860 and CVE-2022-25912.

Affected Systems

The issue affects steveukx’s simple‑git library for Node.js, specifically versions 3.15.0 through 3.32.2. Applications built with these versions and configured with a protocol.allow key that is not strictly lowercase are at risk. Version 3.23.0 contains a fix that eliminates the vulnerability, but any deployment still running an earlier version remains vulnerable.

Risk and Exploitability

With a CVSS score of 9.8 this flaw represents a high‑severity threat. Although the EPSS score is below 1%—indicating a low probability of exploitation in the wild—the potential impact is catastrophic. Attackers who can provide a malicious configuration or trigger a git operation via the library can execute arbitrary commands on the host. The attack vector is inferred to involve supplying a repository URL or configuration value that the application processes, thereby exploiting the case‑insensitive protocol.allow check. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants urgent action.

Generated by OpenCVE AI on April 15, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade simple‑git to version 3.23.0 or later, which removes the vulnerable configuration handling.
  • Ensure that the application never uses a protocol.allow key that differs in case from the expected lowercase string; consider removing the key or setting it to false.
  • Audit all Git operations performed through simple‑git to verify that no external input can craft a malicious protocol.allow value; enforce strict input validation.

Generated by OpenCVE AI on April 15, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r275-fr43-pm7q simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
History

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Title simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key that enables RCE
References

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-76
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Simple-git Project
Simple-git Project simple-git
CPEs cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*
Vendors & Products Simple-git Project
Simple-git Project simple-git

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Steveukx
Steveukx simple-git
Vendors & Products Steveukx
Steveukx simple-git

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description `simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
Title simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
Weaknesses CWE-178
CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Simple-git Project Simple-git
Steveukx Simple-git
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:30:40.620Z

Reserved: 2026-02-26T01:52:58.736Z

Link: CVE-2026-28292

cve-icon Vulnrichment

Updated: 2026-03-11T14:16:25.324Z

cve-icon NVD

Status : Modified

Published: 2026-03-10T19:17:20.840

Modified: 2026-04-14T16:16:38.047

Link: CVE-2026-28292

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T18:34:21Z

Links: CVE-2026-28292 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses