CVE-2022-24433

HIGH

simple-git <3.3.0 - Command Injection

Title source: llm

Description

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

References (4)

[Patch, Third Party Advisory] https://github.com/steveukx/git-js/pull/767

[Patch, Third Party Advisory] https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199

Scores

CVSS v3 8.1

EPSS 0.0093

EPSS Percentile 75.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88

Status published

Affected Products (2)

simple-git_project/simple-git < 3.3.0

npm/simple-git < 3.3.0npm

Timeline

Published Mar 11, 2022

Tracked Since Feb 18, 2026