Steve King

7 exploits Active since Apr 2022
CVE-2026-28291 WRITEUP HIGH WRITEUP
simple-git has Command Execution via Option-Parsing Bypass
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
CVSS 8.1
CVE-2026-6951 WRITEUP CRITICAL WRITEUP
Simple-git < 3.36.0 - Remote Code Execution
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
CVSS 9.8
CVE-2026-28292 WRITEUP CRITICAL WRITEUP
simple-git 3.15.0-3.32.2 - RCE
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
CVSS 9.8
CVE-2020-28471 WRITEUP HIGH WRITEUP
Properties-reader < 2.2.0 - Prototype Pollution
This affects the package properties-reader before 2.2.0.
CVSS 7.3
CVE-2022-24066 WRITEUP HIGH WRITEUP
simple-git <3.5.0 - Command Injection
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
CVSS 8.1
CVE-2022-25860 WRITEUP HIGH WRITEUP
Simple-git < 3.16.0 - Code Injection
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
CVSS 8.1
CVE-2022-25912 WRITEUP HIGH WRITEUP
Simple-git < 3.15.0 - OS Command Injection
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
CVSS 8.1