{"url":"http://public2.vulnerablecode.io/api/packages/74660?format=json","purl":"pkg:npm/simple-git@3.32.3","type":"npm","namespace":"","name":"simple-git","version":"3.32.3","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50817?format=json","vulnerability_id":"VCID-epz2-6ye6-bfay","summary":"simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE\nThe `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol\noverride arguments when the config key is passed in uppercase or mixed case.\nAn attacker who controls arguments passed to git operations can enable the\n`ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an\narbitrary OS command on the host machine.\n\n---\n\n\n| # | Vector | Payload | Sentinel file | Result |\n|---|--------|---------|---------------|--------|\n| 1 | CVE-2022-25912 original | `protocol.ext.allow=always` (lowercase) | not created | Blocked ✅ |\n| 2 | Case-sensitivity bypass | `PROTOCOL.ALLOW=always` (uppercase) | `/tmp/pwn-codeant` created | **RCE ⚠️** |\n| 3 | Real-world app scenario | `PROTOCOL.ALLOW=always` + attacker URL | `/tmp/pwn-realworld` created | **RCE ⚠️** |\n\nThe case-sensitive regex in `preventProtocolOverride` blocks `protocol.*.allow` but does not account for uppercase or mixed-case variants. Git accepts all variants identically due to case-insensitive config key normalisation, allowing full bypass of the protection in all versions of simple-git that carry the 2022 fix.\n\n`/tmp/pwned` is created by the git subprocess via the `ext::` protocol.\n\nAll of the following bypass the check:\n\n| Argument passed via `-c` | Regex matches? | Git honours it? |\n|--------------------------|:--------------:|:---------------:|\n| `protocol.allow=always`  | ✅ blocked     | ✅              |\n| `PROTOCOL.ALLOW=always`  | ❌ bypassed    | ✅              |\n| `Protocol.Allow=always`  | ❌ bypassed    | ✅              |\n| `PROTOCOL.allow=always`  | ❌ bypassed    | ✅              |\n| `protocol.ALLOW=always`  | ❌ bypassed    | ✅              |\n\n---","references":[{"reference_url":"https://github.com/steveukx/git-js","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/steveukx/git-js"},{"reference_url":"https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"},{"reference_url":"https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292","reference_id":"","reference_type":"","scores":[],"url":"https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292"},{"reference_url":"https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292","reference_id":"","reference_type":"","scores":[],"url":"https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28292","reference_id":"CVE-2026-28292","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28292"},{"reference_url":"https://github.com/advisories/GHSA-r275-fr43-pm7q","reference_id":"GHSA-r275-fr43-pm7q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r275-fr43-pm7q"},{"reference_url":"https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q","reference_id":"GHSA-r275-fr43-pm7q","reference_type":"","scores":[],"url":"https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74660?format=json","purl":"pkg:npm/simple-git@3.32.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/simple-git@3.32.3"}],"aliases":["CVE-2026-28292","GHSA-r275-fr43-pm7q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-epz2-6ye6-bfay"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/simple-git@3.32.3"}