Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/simple-git@3.5.0
purl pkg:npm/simple-git@3.5.0
Next non-vulnerable version 3.36.0
Latest non-vulnerable version 3.36.0
Risk 4.5
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-2x3q-pntk-jqcs
Aliases:
CVE-2022-25912
GHSA-9p95-fxvg-qgq2
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
3.15.0
Affected by 4 other vulnerabilities.
VCID-6az5-f7ye-5uhj
Aliases:
CVE-2022-25860
GHSA-9w5j-4mwv-2wj8
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
3.16.0
Affected by 3 other vulnerabilities.
VCID-9tyq-hrn5-4kbn
Aliases:
CVE-2026-28291
GHSA-jcxm-m3jx-f287
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
3.32.0
Affected by 2 other vulnerabilities.
VCID-jrj3-d3uk-dfdh
Aliases:
CVE-2026-6951
GHSA-hffm-xvc3-vprc
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
3.36.0
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-s55u-qv5w-gbhj Command injection in simple-git CVE-2022-24066
GHSA-28xr-mwxg-3qc8

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T22:13:40.729032+00:00 GitLab Importer Affected by VCID-jrj3-d3uk-dfdh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-6951.yml 38.6.0
2026-06-12T22:01:43.621636+00:00 GitLab Importer Affected by VCID-9tyq-hrn5-4kbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28291.yml 38.6.0
2026-06-12T18:44:55.985445+00:00 GitLab Importer Affected by VCID-6az5-f7ye-5uhj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2022-25860.yml 38.6.0
2026-06-12T18:41:28.585704+00:00 GitLab Importer Affected by VCID-2x3q-pntk-jqcs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2022-25912.yml 38.6.0
2026-06-12T15:43:51.675112+00:00 GitLab Importer Fixing VCID-s55u-qv5w-gbhj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2022-24066.yml 38.6.0
2026-06-12T08:13:10.586347+00:00 GithubOSV Importer Fixing VCID-s55u-qv5w-gbhj https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-28xr-mwxg-3qc8/GHSA-28xr-mwxg-3qc8.json 38.6.0
2026-06-11T20:28:39.981837+00:00 GHSA Importer Fixing VCID-s55u-qv5w-gbhj https://github.com/advisories/GHSA-28xr-mwxg-3qc8 38.6.0