HIGH 8.1

GHSA-9p95-fxvg-qgq2

simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol

Details

The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / simple-git

Introduced in: 0 Fixed in: 3.15.0

Fix npm install simple-git@3.15.0

References

https://nvd.nist.gov/vuln/detail/CVE-2022-25912 [ADVISORY]
https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504 [WEB]
https://github.com/steveukx/git-js [PACKAGE]
https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols [WEB]
https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0 [WEB]
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532 [WEB]
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221 [WEB]