simple-git is vulnerable to Remote Code Execution

GHSA-hffm-xvc3-vprc · CVE-2026-6951

Published Apr 25, 2026 · Modified May 26, 2026

Description

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-6951
WEB https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8
WEB https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6
PACKAGE https://github.com/steveukx/git-js
WEB https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes