Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/simple-git@3.16.0
purl pkg:npm/simple-git@3.16.0
Next non-vulnerable version 3.36.0
Latest non-vulnerable version 3.36.0
Risk 4.5
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-epz2-6ye6-bfay
Aliases:
CVE-2026-28292
GHSA-r275-fr43-pm7q
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol override arguments when the config key is passed in uppercase or mixed case. An attacker who controls arguments passed to git operations can enable the `ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an arbitrary OS command on the host machine. --- | # | Vector | Payload | Sentinel file | Result | |---|--------|---------|---------------|--------| | 1 | CVE-2022-25912 original | `protocol.ext.allow=always` (lowercase) | not created | Blocked ✅ | | 2 | Case-sensitivity bypass | `PROTOCOL.ALLOW=always` (uppercase) | `/tmp/pwn-codeant` created | **RCE ⚠️** | | 3 | Real-world app scenario | `PROTOCOL.ALLOW=always` + attacker URL | `/tmp/pwn-realworld` created | **RCE ⚠️** | The case-sensitive regex in `preventProtocolOverride` blocks `protocol.*.allow` but does not account for uppercase or mixed-case variants. Git accepts all variants identically due to case-insensitive config key normalisation, allowing full bypass of the protection in all versions of simple-git that carry the 2022 fix. `/tmp/pwned` is created by the git subprocess via the `ext::` protocol. All of the following bypass the check: | Argument passed via `-c` | Regex matches? | Git honours it? | |--------------------------|:--------------:|:---------------:| | `protocol.allow=always` | ✅ blocked | ✅ | | `PROTOCOL.ALLOW=always` | ❌ bypassed | ✅ | | `Protocol.Allow=always` | ❌ bypassed | ✅ | | `PROTOCOL.allow=always` | ❌ bypassed | ✅ | | `protocol.ALLOW=always` | ❌ bypassed | ✅ | ---
3.32.3
Affected by 1 other vulnerability.
VCID-gtcg-eu7c-p7e6
Aliases:
CVE-2026-6951
GHSA-hffm-xvc3-vprc
simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
3.36.0
Affected by 0 other vulnerabilities.
VCID-jghj-d43k-h7h4
Aliases:
CVE-2026-28291
GHSA-jcxm-m3jx-f287
simple-git: simple-git: Command Execution via Option-Parsing Bypass in simple-git
3.32.0
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-vm66-yukk-qfcs Remote code execution in simple-git Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912. CVE-2022-25860
GHSA-9w5j-4mwv-2wj8

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-07T20:48:21.092948+00:00 GHSA Importer Fixing VCID-vm66-yukk-qfcs https://github.com/advisories/GHSA-9w5j-4mwv-2wj8 38.6.0
2026-06-06T08:17:28.387576+00:00 GitLab Importer Affected by VCID-gtcg-eu7c-p7e6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-6951.yml 38.6.0
2026-06-06T07:58:00.000572+00:00 GitLab Importer Affected by VCID-jghj-d43k-h7h4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28291.yml 38.6.0
2026-06-06T07:17:31.938518+00:00 GitLab Importer Affected by VCID-epz2-6ye6-bfay https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28292.yml 38.6.0
2026-06-04T17:16:54.513130+00:00 GithubOSV Importer Fixing VCID-vm66-yukk-qfcs https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-9w5j-4mwv-2wj8/GHSA-9w5j-4mwv-2wj8.json 38.6.0
2026-06-02T04:43:51.228800+00:00 GitLab Importer Fixing VCID-vm66-yukk-qfcs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2022-25860.yml 38.6.0