Simple Git
Monthly
Remote code execution in simple-git before 3.36.0 allows unauthenticated attackers to execute arbitrary commands via incomplete sanitization of command-line options. The vulnerability bypasses the prior CVE-2022-25912 fix by accepting --config instead of the blocked -c flag, enabling protocol.ext.allow=always configuration and malicious ext:: URLs. Publicly available exploit code exists (POC confirmed), with EPSS score of 0.08% indicating low current exploitation probability despite the theoretical severity. SSVC framework classifies this as automatable with total technical impact.
simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Remote code execution in simple-git before 3.36.0 allows unauthenticated attackers to execute arbitrary commands via incomplete sanitization of command-line options. The vulnerability bypasses the prior CVE-2022-25912 fix by accepting --config instead of the blocked -c flag, enabling protocol.ext.allow=always configuration and malicious ext:: URLs. Publicly available exploit code exists (POC confirmed), with EPSS score of 0.08% indicating low current exploitation probability despite the theoretical severity. SSVC framework classifies this as automatable with total technical impact.
simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.