simple-git Remote Code Execution via Protocol Bypass, CVE-2026-28292 (Critical)

Listen to this Post

simple-git, a Node.js interface for running Git commands, contains a vulnerability in versions 3.15.0 through 3.32.2 that allows attackers to achieve full remote code execution (RCE) on the host machine. This flaw bypasses two previous fixes for similar command injection vulnerabilities (CVE-2022-25860 and CVE-2022-25912). The core issue lies in the blockUnsafeOperationsPlugin, which is designed to block dangerous Git protocols like ext::. The plugin uses a case-sensitive regular expression to validate the `protocol.allow` configuration key. However, Git itself treats configuration keys as case-insensitive. An attacker can exploit this discrepancy by supplying the key in an uppercase or mixed-case format, such as PROTOCOL.ALLOW=always. This bypasses the case-sensitive security check, re-enables the `ext::` protocol, and allows an attacker to execute arbitrary operating system commands through a crafted `ext::` URL. The vulnerability is exploitable over the network with low complexity and requires no privileges or user interaction, earning a CVSS score of 9.8 (Critical). The bypass technique is subtle, allowing malicious input to evade traditional static analysis security testing (SAST) tools by simply altering the case of the configuration key .
Platform: Node.js npm
Version: 3.15.0 to 3.32.2
Vulnerability : Command Injection
Severity: Critical (9.8)
date: March 10, 2026

Prediction: Patch already available in 3.23.0

What Undercode Say:

Analysis

The vulnerability is a direct bypass of previous security patches (CVE-2022-25860, CVE-2022-25912). The attack vector leverages the fundamental design of Git, which treats configuration keys as case-insensitive, against the case-sensitive security logic implemented in the JavaScript plugin. This highlights a dangerous mismatch between the security assumptions of the application and the actual behavior of the underlying system. The fact that the same researcher or team discovered this by focusing on the nuanced interaction between the library and Git, rather than simple pattern matching, suggests that similar logical bypasses may exist in other tools that wrap complex subsystems.

Check for Vulnerability

Check the version of simple-git in your project
npm list simple-git
Check package.json for the version
cat package.json | grep simple-git
Check package-lock.json for the exact version
grep -A 5 '"simple-git"' package-lock.json

How Exploit

An attacker would need to control input passed to a `simple-git` method that handles URLs or configuration, such as clone(), pull(), or push(). By injecting a configuration override like `-c protocol.allow=always` but using case variation to bypass the filter, they can enable the `ext::` handler. The final payload would look similar to previous bypasses, aiming to execute a system command.

Conceptual exploit payload (Illustrative, based on previous CVEs)
Attacker supplies a remote URL or configuration string:
git clone -c PROTOCOL.ALLOW=always "ext::touch /tmp/pwned"

Based on previous bypass patterns, a successful exploit would result in command execution on the host .

Protection from this CVE

  1. Immediate Upgrade: Update the `simple-git` package to version 3.23.0 or later, which contains the patched fix .
  2. Input Validation: If you cannot upgrade immediately, implement strict allow-listing for any user-controlled input that is passed to Git commands, ensuring it does not contain configuration flags or protocol specifiers.
  3. Dependency Scanning: Use Software Composition Analysis (SCA) tools to monitor for vulnerable dependencies in your `package-lock.json` file .

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary operating system commands on the server hosting the Node.js application. This can lead to full system compromise, including data theft, installation of backdoors, lateral movement within the network, and complete loss of integrity and availability of the affected host .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top