Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/simple-git@1.101.0
purl pkg:npm/simple-git@1.101.0
Next non-vulnerable version 3.36.0
Latest non-vulnerable version 3.36.0
Risk 4.5
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-aay3-4t59-pqe8
Aliases:
CVE-2022-25912
GHSA-9p95-fxvg-qgq2
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
3.15.0
Affected by 4 other vulnerabilities.
VCID-gtcg-eu7c-p7e6
Aliases:
CVE-2026-6951
GHSA-hffm-xvc3-vprc
simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
3.36.0
Affected by 0 other vulnerabilities.
VCID-jghj-d43k-h7h4
Aliases:
CVE-2026-28291
GHSA-jcxm-m3jx-f287
simple-git: simple-git: Command Execution via Option-Parsing Bypass in simple-git
3.32.0
Affected by 2 other vulnerabilities.
VCID-mmws-zvx3-ebgm
Aliases:
CVE-2022-24066
GHSA-28xr-mwxg-3qc8
Improper Neutralization of Special Elements used in a Command ('Command Injection') The package simple-git before 3.5.0 is vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
3.5.0
Affected by 4 other vulnerabilities.
VCID-vm66-yukk-qfcs
Aliases:
CVE-2022-25860
GHSA-9w5j-4mwv-2wj8
Remote code execution in simple-git Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
3.16.0
Affected by 3 other vulnerabilities.
VCID-ztn5-rrz1-n7ed
Aliases:
CVE-2022-24433
GHSA-3f95-r44v-8mrg
Improper Neutralization of Special Elements used in a Command ('Command Injection') The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
3.3.0
Affected by 5 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T08:17:27.841099+00:00 GitLab Importer Affected by VCID-gtcg-eu7c-p7e6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-6951.yml 38.6.0
2026-06-06T07:57:59.403185+00:00 GitLab Importer Affected by VCID-jghj-d43k-h7h4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28291.yml 38.6.0
2026-06-06T03:25:04.703337+00:00 GitLab Importer Affected by VCID-vm66-yukk-qfcs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2022-25860.yml 38.6.0
2026-06-06T03:17:23.246144+00:00 GitLab Importer Affected by VCID-aay3-4t59-pqe8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2022-25912.yml 38.6.0
2026-06-06T01:39:11.830425+00:00 GitLab Importer Affected by VCID-mmws-zvx3-ebgm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2022-24066.yml 38.6.0
2026-06-06T01:34:22.410042+00:00 GitLab Importer Affected by VCID-ztn5-rrz1-n7ed https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2022-24433.yml 38.6.0