CVE-2022-24433

HIGH

simple-git <3.3.0 - Command Injection

Title source: llm

Description

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

References (4)

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245

[Patch, Third Party Advisory] https://github.com/steveukx/git-js/pull/767

[Patch, Third Party Advisory] https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0

Scores

CVSS v3 8.1

EPSS 0.0093

EPSS Percentile 76.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-88

Status published

Products (2)

npm/simple-git 0 - 3.3.0npm

simple-git_project/simple-git < 3.3.0

Published Mar 11, 2022

Tracked Since Feb 18, 2026