Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (1)
| Vulnerability |
Summary |
Aliases |
|
VCID-epz2-6ye6-bfay
|
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
The `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol
override arguments when the config key is passed in uppercase or mixed case.
An attacker who controls arguments passed to git operations can enable the
`ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an
arbitrary OS command on the host machine.
---
| # | Vector | Payload | Sentinel file | Result |
|---|--------|---------|---------------|--------|
| 1 | CVE-2022-25912 original | `protocol.ext.allow=always` (lowercase) | not created | Blocked ✅ |
| 2 | Case-sensitivity bypass | `PROTOCOL.ALLOW=always` (uppercase) | `/tmp/pwn-codeant` created | **RCE ⚠️** |
| 3 | Real-world app scenario | `PROTOCOL.ALLOW=always` + attacker URL | `/tmp/pwn-realworld` created | **RCE ⚠️** |
The case-sensitive regex in `preventProtocolOverride` blocks `protocol.*.allow` but does not account for uppercase or mixed-case variants. Git accepts all variants identically due to case-insensitive config key normalisation, allowing full bypass of the protection in all versions of simple-git that carry the 2022 fix.
`/tmp/pwned` is created by the git subprocess via the `ext::` protocol.
All of the following bypass the check:
| Argument passed via `-c` | Regex matches? | Git honours it? |
|--------------------------|:--------------:|:---------------:|
| `protocol.allow=always` | ✅ blocked | ✅ |
| `PROTOCOL.ALLOW=always` | ❌ bypassed | ✅ |
| `Protocol.Allow=always` | ❌ bypassed | ✅ |
| `PROTOCOL.allow=always` | ❌ bypassed | ✅ |
| `protocol.ALLOW=always` | ❌ bypassed | ✅ |
---
|
CVE-2026-28292
GHSA-r275-fr43-pm7q
|