VulnerableCode Package Details - pkg:npm/simple-git@3.15.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-epz2-6ye6-bfay Aliases: CVE-2026-28292 GHSA-r275-fr43-pm7q	simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol override arguments when the config key is passed in uppercase or mixed case. An attacker who controls arguments passed to git operations can enable the `ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an arbitrary OS command on the host machine. --- \| # \| Vector \| Payload \| Sentinel file \| Result \| \|---\|--------\|---------\|---------------\|--------\| \| 1 \| CVE-2022-25912 original \| `protocol.ext.allow=always` (lowercase) \| not created \| Blocked ✅ \| \| 2 \| Case-sensitivity bypass \| `PROTOCOL.ALLOW=always` (uppercase) \| `/tmp/pwn-codeant` created \| RCE ⚠️ \| \| 3 \| Real-world app scenario \| `PROTOCOL.ALLOW=always` + attacker URL \| `/tmp/pwn-realworld` created \| RCE ⚠️ \| The case-sensitive regex in `preventProtocolOverride` blocks `protocol.*.allow` but does not account for uppercase or mixed-case variants. Git accepts all variants identically due to case-insensitive config key normalisation, allowing full bypass of the protection in all versions of simple-git that carry the 2022 fix. `/tmp/pwned` is created by the git subprocess via the `ext::` protocol. All of the following bypass the check: \| Argument passed via `-c` \| Regex matches? \| Git honours it? \| \|--------------------------\|:--------------:\|:---------------:\| \| `protocol.allow=always` \| ✅ blocked \| ✅ \| \| `PROTOCOL.ALLOW=always` \| ❌ bypassed \| ✅ \| \| `Protocol.Allow=always` \| ❌ bypassed \| ✅ \| \| `PROTOCOL.allow=always` \| ❌ bypassed \| ✅ \| \| `protocol.ALLOW=always` \| ❌ bypassed \| ✅ \| ---	3.32.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-epz2-6ye6-bfay
Aliases:
CVE-2026-28292
GHSA-r275-fr43-pm7q

simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol override arguments when the config key is passed in uppercase or mixed case. An attacker who controls arguments passed to git operations can enable the `ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an arbitrary OS command on the host machine. --- | # | Vector | Payload | Sentinel file | Result | |---|--------|---------|---------------|--------| | 1 | CVE-2022-25912 original | `protocol.ext.allow=always` (lowercase) | not created | Blocked ✅ | | 2 | Case-sensitivity bypass | `PROTOCOL.ALLOW=always` (uppercase) | `/tmp/pwn-codeant` created | **RCE ⚠️** | | 3 | Real-world app scenario | `PROTOCOL.ALLOW=always` + attacker URL | `/tmp/pwn-realworld` created | **RCE ⚠️** | The case-sensitive regex in `preventProtocolOverride` blocks `protocol.*.allow` but does not account for uppercase or mixed-case variants. Git accepts all variants identically due to case-insensitive config key normalisation, allowing full bypass of the protection in all versions of simple-git that carry the 2022 fix. `/tmp/pwned` is created by the git subprocess via the `ext::` protocol. All of the following bypass the check: | Argument passed via `-c` | Regex matches? | Git honours it? | |--------------------------|:--------------:|:---------------:| | `protocol.allow=always` | ✅ blocked | ✅ | | `PROTOCOL.ALLOW=always` | ❌ bypassed | ✅ | | `Protocol.Allow=always` | ❌ bypassed | ✅ | | `PROTOCOL.allow=always` | ❌ bypassed | ✅ | | `protocol.ALLOW=always` | ❌ bypassed | ✅ | ---

3.32.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:51:34.215779+00:00	GitLab Importer	Affected by	VCID-epz2-6ye6-bfay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28292.yml	38.6.0

2026-06-02T04:51:34.215779+00:00

GitLab Importer

Affected by

VCID-epz2-6ye6-bfay

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28292.yml

38.6.0

Next non-vulnerable version	3.16.0
Latest non-vulnerable version	3.32.3
Risk