CVE-2026-28291

Exploit

EPSS 0.64%
Veröffentlicht 13.04.2026 17:15:14
Zuletzt bearbeitet 13.05.2026 20:52:38
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

simple-git has Command Execution via Option-Parsing Bypass

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Simple-git Project ≫ Simple-git SwPlatformnode.js Version < 3.32.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.64%	0.457

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287

Vendor Advisory

Exploit

https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26

Product

https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0

Release Notes

https://www.cve.org/CVERecord?id=CVE-2022-25860

Third Party Advisory

VDB Entry

https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-28291

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28291

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28291

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28291