Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
To reproduce
Remote code execution in simple-git
Critical severity GitHub Reviewed Published on Jan 26 to the GitHub Advisory Database • Updated on Feb 3
Vulnerability details
Dependabot alerts
0
Package
simple-git (
npm
)
Affected versions
< 3.16.0
Patched versions
3.16.0
Description
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of https://github.com/advisories/GHSA-9p95-fxvg-qgq2.
Describe the bug
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
To reproduce
Remote code execution in simple-git Critical severity GitHub Reviewed Published on Jan 26 to the GitHub Advisory Database • Updated on Feb 3 Vulnerability details Dependabot alerts 0 Package simple-git ( npm ) Affected versions < 3.16.0 Patched versions 3.16.0 Description Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of https://github.com/advisories/GHSA-9p95-fxvg-qgq2.
References https://nvd.nist.gov/vuln/detail/CVE-2022-25860 https://github.com/steveukx/git-js/commit/95459310e5b8f96e20bb77ef1a6559036b779e13 https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951 https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
Expected behavior
Patch:
https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
Screenshots
No response
Desktop (please complete the following information)
No response
Smartphone (please complete the following information)
No response
Additional context
No response
Would you like to work on this issue?