Command injection in simple-git

GHSA-3f95-r44v-8mrg · CVE-2022-24433

Published Mar 12, 2022 · Modified Jan 14, 2025

Description

The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-24433
WEB https://github.com/steveukx/git-js/pull/767
PACKAGE https://github.com/steveukx/git-js
WEB https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0
WEB https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245
WEB https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes