EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in simple-git, specifically in versions prior to 3.32.0. These vulnerabilities allow for arbitrary command execution through Git option manipulation, bypassing safety checks meant to block dangerous options. This has significant business implications, as attackers could exploit these vulnerabilities to gain unauthorized access to sensitive data, disrupt operations, and compromise system integrity. The vulnerabilities also pose a high risk to confidentiality, integrity, and availability, potentially leading to data breaches, financial losses, and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in simple-git, specifically in versions prior to 3.32.0. These vulnerabilities allow for arbitrary command execution through Git option manipulation, bypassing safety checks meant to block dangerous options. This has significant business implications, as attackers could exploit these vulnerabilities to gain unauthorized access to sensitive data, disrupt operations, and compromise system integrity. The vulnerabilities also pose a high risk to confidentiality, integrity, and availability, potentially leading to data breaches, financial losses, and reputational damage.[emaillocker id="1283"]
CVE-2026-28291 with a CVSS score of 8.1 – This vulnerability allows attackers to execute arbitrary commands through Git option manipulation, bypassing safety checks. Attackers can exploit this vulnerability by manipulating Git options to execute commands without explicit user permission. This requires no prerequisites other than access to the affected system.
CVE-2022-25860 – This vulnerability was introduced by an incorrect patch and allowed execution of arbitrary commands through Git option manipulation. Attackers can exploit this vulnerability by manipulating Git options to execute commands without explicit user permission. This requires no prerequisites other than access to the affected system.
The risk associated with these vulnerabilities is high, as they can be exploited remotely and with high complexity. If left unaddressed, these vulnerabilities can lead to significant business consequences, including data breaches, financial losses, and reputational damage. It is essential to address these vulnerabilities promptly to prevent potential attacks and maintain system integrity.
RECOMMENDATION:
We recommend you to update simple-git to version 3.32.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jcxm-m3jx-f287