simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol

GHSA-9p95-fxvg-qgq2 · CVE-2022-25912

Published Dec 6, 2022 · Modified Nov 8, 2023

Description

The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-25912
WEB https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
PACKAGE https://github.com/steveukx/git-js
WEB https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
WEB https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
WEB https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
WEB https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes