Description
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
References (5)
Core 5
Core References
Broken Link
https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
Patch, Third Party Advisory
https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
Release Notes, Third Party Advisory
https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
Exploit, Patch, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
Exploit, Patch, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
Scores
CVSS v3
8.1
EPSS
0.4331
EPSS Percentile
97.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
npm/simple-git
0 - 3.15.0npm
simple-git_project/simple-git
< 3.15.0
Published
Dec 06, 2022
Tracked Since
Feb 18, 2026