Remote code execution in simple-git

GHSA-9w5j-4mwv-2wj8 · CVE-2022-25860

Published Jan 26, 2023 · Modified Apr 1, 2025

Description

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-25860
WEB https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
WEB https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
WEB https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes