CVE-2026-28291

HIGH EPSS 45.9%
Published Apr 13, 20262mo ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Apr 13, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
45.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
simple-git_projectsimple-git* <3.32.0

References 5

  • github.com https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26
    Product
  • github.com https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d
    Patch
  • github.com https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0
    Release Notes
  • github.com https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287
    ExploitVendor Advisory
  • cve.org https://www.cve.org/CVERecord?id=CVE-2022-25860
    Third Party AdvisoryVDB Entry

Remediation

  • github.com https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d
    Patch