CVE-2026-6951 - Vulnerability Details

- simple-git: simple-git: Remote Code Execution due to incomplete fix bypass

Description

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

Published: 2026-04-25

Score: 9.2 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is a residual flaw from a prior command injection issue where the -c option for passing Git configuration was blocked but the equivalent --config option was not. Due to an incomplete patch for CVE-2022-25912, any untrusted input that reaches the options parameter of simple-git can be used to inject shell commands. An attacker can craft a --config entry that sets protocol.ext.allow=always and provides an ext:: clone source, causing underlying shell code to execute with the privileges of the running Node.js process. The weakness is a code injection flaw as classified by CWE-94 and CWE-88.

Affected Systems

The affected product is the npm package simple-git. Every installation that uses a version earlier than 3.36.0 is potentially vulnerable, regardless of the surrounding application, because the insecure handling occurs inside the library itself. Scripts or services that expose simple-git to user supplied options are at highest risk.

Risk and Exploitability

The CVSS score of 9.2 designates this flaw as critical, while the EPSS score of less than 1% suggests a presently low but non-zero exploitation likelihood. The absence of the vulnerability from CISA’s KEV catalog does not diminish the risk, as exploitation would rely on crafting tailored --config options that enable protocol.ext.allow and reference an ext:: source. An attacker with access to the options argument can achieve full remote code execution on the target system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

simple-git

affected

Version	Status	Constraints
`0`	affected	< 3.36.0

No data.

Vendor Product Confidence Versions

Steveukx

Simple-git

90%

Version	Status	Scheme	Platform
`[0,3.36.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade simple‑git to version 3.36.0 or newer.
Validate or sanitize all data that is passed as options to simple‑git, ensuring no untrusted content is included.
Restrict protocol.ext.allow to safe values and avoid using ext:: clone sources when possible.

Generated by OpenCVE AI on May 6, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hffm-xvc3-vprc	simple-git is vulnerable to Remote Code Execution

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00111.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6
https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8
https://nvd.nist.gov/vuln/detail/CVE-2026-6951
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078
https://www.cve.org/CVERecord?id=CVE-2026-6951

History

Wed, 06 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	Residual Command Injection via Incomplete Sanitization of --config in simple‑git Pre‑3.36.0	simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
Weaknesses		CWE-88
References		https://nvd.nist.gov/vuln/detail/CVE-2026-6951 https://www.cve.org/CVERecord?id=CVE-2026-6951
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 28 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		Residual Command Injection via Incomplete Sanitization of --config in simple‑git Pre‑3.36.0

Mon, 27 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Steveukx Steveukx simple-git
Vendors & Products		Steveukx Steveukx simple-git

Sat, 25 Apr 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 25 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
Weaknesses		CWE-94
References		https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6 https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8 https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P'}` cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Steveukx Simple-git

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2026-04-25T05:00:05.257Z

Updated: 2026-04-25T10:50:22.342Z

Reserved: 2026-04-24T07:25:39.128Z

Link: CVE-2026-6951

Vulnrichment

Updated: 2026-04-25T10:49:36.870Z

NVD

Status : Awaiting Analysis

Published: 2026-04-25T06:16:16.453

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6951

Redhat

Severity : Important

Publid Date: 2026-04-25T05:00:05Z

Links: CVE-2026-6951 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-06T01:30:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object