CRITICAL🇵🇱 Wersja polska

CVE-2026-28292

CVSS 9.8v3.1pub. 2026-03-10upd. 2026-06-30

`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of input data passed to git commands in Node.js applications using the `simple-git` library. Input validation and sanitization mechanisms introduced as patches for CVE-2022-25860 and CVE-2022-25912 can be bypassed, classified as CWE-78 (command injection) and CWE-178 (improper case-sensitive comparison). An attacker can craft malicious input that will be interpreted as system commands and executed on the server.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the host machine without authentication, which can lead to complete system compromise, data disclosure, or data modification.

Mitigation & patch

The `simple-git` library should be updated to version 3.23.0 or higher containing the patch. Details are available in the project repository and in security advisory GHSA-r275-fr43-pm7q.

Who is affected

Simple-Git Project Simple-Git in versions from 3.15.0 to 3.32.2 (excluding version 3.23.0, which contains the patch). Affects Node.js applications using the `simple-git` library.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Simple Git Project Simple Git

    APP
    Simple-Git Project
    3.15.0 – 3.32.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2026-6951HIGH8.2ten sam produkt

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incom...

CVE-2026-28291HIGH8.1ten sam produkt

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow exec...

CVE-2022-25860HIGH8.1ten sam produkt

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone()...

CVE-2022-25912HIGH8.1ten sam produkt

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext trans...

CVE-2022-24066HIGH8.1ten sam produkt

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-...