`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
The vulnerability results from improper handling of input data passed to git commands in Node.js applications using the `simple-git` library. Input validation and sanitization mechanisms introduced as patches for CVE-2022-25860 and CVE-2022-25912 can be bypassed, classified as CWE-78 (command injection) and CWE-178 (improper case-sensitive comparison). An attacker can craft malicious input that will be interpreted as system commands and executed on the server.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the host machine without authentication, which can lead to complete system compromise, data disclosure, or data modification.
The `simple-git` library should be updated to version 3.23.0 or higher containing the patch. Details are available in the project repository and in security advisory GHSA-r275-fr43-pm7q.
Simple-Git Project Simple-Git in versions from 3.15.0 to 3.32.2 (excluding version 3.23.0, which contains the patch). Affects Node.js applications using the `simple-git` library.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSimple Git Project Simple Git
APPSimple-Git Project3.15.0 – 3.32.2 (bez)
Related vulnerabilities
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incom...
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow exec...
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone()...
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext trans...
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-...