CVE-2026-28291
HIGHsimple-git has Command Execution via Option-Parsing Bypass
Title source: cnaDescription
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287
X_Refsource_Misc x_refsource_misc
https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26
X_Refsource_Misc x_refsource_misc
https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0
X_Refsource_Misc x_refsource_misc
https://www.cve.org/CVERecord?id=CVE-2022-25860
X_Refsource_Misc x_refsource_misc
https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d
Scores
CVSS v3
8.1
EPSS
0.0064
EPSS Percentile
45.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (3)
npm/simple-git
0 - 3.32.0npm
simple-git_project/simple-git
< 3.32.0
steveukx/git-js
< 3.32.0
Published
Apr 13, 2026
Tracked Since
Apr 13, 2026