VulnerableCode Package Details - pkg:npm/simple-git@3.19.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-9tyq-hrn5-4kbn Aliases: CVE-2026-28291 GHSA-jcxm-m3jx-f287	simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.	3.32.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jrj3-d3uk-dfdh Aliases: CVE-2026-6951 GHSA-hffm-xvc3-vprc	Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.	3.36.0 Affected by 0 other vulnerabilities.
VCID-tpqs-9aax-ffhy Aliases: CVE-2026-28292 GHSA-r275-fr43-pm7q		3.32.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-9tyq-hrn5-4kbn
Aliases:
CVE-2026-28291
GHSA-jcxm-m3jx-f287

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.

3.32.0
Affected by 2 other vulnerabilities.

VCID-jrj3-d3uk-dfdh
Aliases:
CVE-2026-6951
GHSA-hffm-xvc3-vprc

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

3.36.0
Affected by 0 other vulnerabilities.

VCID-tpqs-9aax-ffhy
Aliases:
CVE-2026-28292
GHSA-r275-fr43-pm7q

3.32.3
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:13:40.802983+00:00	GitLab Importer	Affected by	VCID-jrj3-d3uk-dfdh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-6951.yml	38.6.0
2026-06-12T22:01:43.694707+00:00	GitLab Importer	Affected by	VCID-9tyq-hrn5-4kbn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28291.yml	38.6.0
2026-06-12T21:21:10.593693+00:00	GitLab Importer	Affected by	VCID-tpqs-9aax-ffhy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/simple-git/CVE-2026-28292.yml	38.6.0