Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/simple-git@3.32.0
purl pkg:npm/simple-git@3.32.0
Next non-vulnerable version 3.36.0
Latest non-vulnerable version 3.36.0
Risk 4.5
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-epz2-6ye6-bfay
Aliases:
CVE-2026-28292
GHSA-r275-fr43-pm7q
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol override arguments when the config key is passed in uppercase or mixed case. An attacker who controls arguments passed to git operations can enable the `ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an arbitrary OS command on the host machine. --- | # | Vector | Payload | Sentinel file | Result | |---|--------|---------|---------------|--------| | 1 | CVE-2022-25912 original | `protocol.ext.allow=always` (lowercase) | not created | Blocked ✅ | | 2 | Case-sensitivity bypass | `PROTOCOL.ALLOW=always` (uppercase) | `/tmp/pwn-codeant` created | **RCE ⚠️** | | 3 | Real-world app scenario | `PROTOCOL.ALLOW=always` + attacker URL | `/tmp/pwn-realworld` created | **RCE ⚠️** | The case-sensitive regex in `preventProtocolOverride` blocks `protocol.*.allow` but does not account for uppercase or mixed-case variants. Git accepts all variants identically due to case-insensitive config key normalisation, allowing full bypass of the protection in all versions of simple-git that carry the 2022 fix. `/tmp/pwned` is created by the git subprocess via the `ext::` protocol. All of the following bypass the check: | Argument passed via `-c` | Regex matches? | Git honours it? | |--------------------------|:--------------:|:---------------:| | `protocol.allow=always` | ✅ blocked | ✅ | | `PROTOCOL.ALLOW=always` | ❌ bypassed | ✅ | | `Protocol.Allow=always` | ❌ bypassed | ✅ | | `PROTOCOL.allow=always` | ❌ bypassed | ✅ | | `protocol.ALLOW=always` | ❌ bypassed | ✅ | ---
3.32.3
Affected by 1 other vulnerability.
VCID-gtcg-eu7c-p7e6
Aliases:
CVE-2026-6951
GHSA-hffm-xvc3-vprc
simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
3.36.0
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-jghj-d43k-h7h4 simple-git: simple-git: Command Execution via Option-Parsing Bypass in simple-git CVE-2026-28291
GHSA-jcxm-m3jx-f287

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-07T20:53:19.135155+00:00 GHSA Importer Fixing VCID-jghj-d43k-h7h4 https://github.com/advisories/GHSA-jcxm-m3jx-f287 38.6.0
2026-06-06T08:17:28.467128+00:00 GitLab Importer Affected by VCID-gtcg-eu7c-p7e6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-6951.yml 38.6.0
2026-06-06T07:58:00.085472+00:00 GitLab Importer Fixing VCID-jghj-d43k-h7h4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28291.yml 38.6.0
2026-06-06T07:17:32.075051+00:00 GitLab Importer Affected by VCID-epz2-6ye6-bfay https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28292.yml 38.6.0
2026-06-04T16:53:24.840736+00:00 GithubOSV Importer Fixing VCID-jghj-d43k-h7h4 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jcxm-m3jx-f287/GHSA-jcxm-m3jx-f287.json 38.6.0