Description
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
References (3)
Core 3
Core References
Patch, Third Party Advisory
https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
Patch, Third Party Advisory
https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
Scores
CVSS v3
8.1
EPSS
0.4174
EPSS Percentile
97.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
CWE-94
Status
published
Products (2)
npm/simple-git
0 - 3.16.0npm
simple-git_project/simple-git
< 3.16.0
Published
Jan 26, 2023
Tracked Since
Feb 18, 2026