Command Injection
Description
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
simple-git before 3.3.0 is vulnerable to command injection via argument injection in the .fetch() function.
Vulnerability
The package simple-git before version 3.3.0 is vulnerable to Command Injection via argument injection in the git fetch subcommand [2]. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed directly to the underlying git command without sufficient sanitization [2]. An attacker can inject git options that lead to arbitrary command execution [2].
Exploitation
An attacker needs to control the remote or branch parameters passed to the .fetch() function [2]. By injecting git options such as --upload-pack (as noted in the pull request fixing this issue [3]), an attacker can force the execution of arbitrary commands instead of the intended git fetch operation. No special network position or authentication is required beyond the ability to provide these parameters, which could occur through user input or API calls [2].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the system where the simple-git library is running [2]. This leads to full compromise of the confidentiality, integrity, and availability of the affected application and its underlying system [2]. The attacker gains the privilege level of the Node.js process that called the vulnerable function [2].
Mitigation
An attacker needs to control the remote or branch parameters passed to the .fetch() function [2]. The fix was released in version 3.3.0 [4], which sanitizes the parameters to block injection of git options like --upload-pack [3]. Users should upgrade to 3.3.0 or later immediately [4]. No other workarounds are documented in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simple-gitnpm | < 3.3.0 | 3.3.0 |
Affected products
2- simple-git/simple-gitdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-3f95-r44v-8mrgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24433ghsaADVISORY
- github.com/steveukx/git-js/pull/767ghsax_refsource_MISCWEB
- github.com/steveukx/git-js/releases/tag/simple-git%403.3.0ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.