Critical severity9.8NVD Advisory· Published Mar 10, 2026· Updated Apr 14, 2026
CVE-2026-28292
CVE-2026-28292
Description
simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simple-gitnpm | >= 3.15.0, < 3.32.3 | 3.32.3 |
Affected products
1- cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*Range: >=3.15.0,<3.32.2
Patches
1f7042088aa2dIn extension to CVE-2022-25912, switch to case-insensitive check for `protocol.allow` in the handling of `allowUnsafeProtocolOverride`
3 files changed · +31 −1
.changeset/twelve-tires-trade.md+7 −0 added@@ -0,0 +1,7 @@ +--- +"simple-git": patch +--- + +Enhanced `protocol.allow` checks in `allowUnsafeExtProtocol` handling. + +Thanks to @CodeAnt-AI-Security for identifying the issue
simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts+1 −1 modified@@ -21,7 +21,7 @@ function preventProtocolOverride(arg: string, next: string) { return; } - if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) { + if (!/^\s*protocol(.[a-z]+)?.allow/i.test(next)) { return; }
simple-git/test/unit/plugins/plugin.unsafe.spec.ts+23 −0 modified@@ -7,6 +7,29 @@ import { } from '../__fixtures__'; describe('blockUnsafeOperationsPlugin', () => { + it.each([ + ['protocol.allow=always'], + ['PROTOCOL.ALLOW=always'], + ['Protocol.Allow=always'], + ['PROTOCOL.allow=always'], + ['protocol.ALLOW=always'], + ])('blocks protocol overide in format %s', async (cmd) => { + const task = ['config', '-c', cmd, 'config', '--list']; + + assertGitError( + await promiseError(newSimpleGit().raw(...task)), + 'allowUnsafeExtProtocol' + ); + + const err = promiseError( + newSimpleGit({ unsafe: { allowUnsafeProtocolOverride: true } }).raw(...task), + ); + + await closeWithSuccess(); + expect(await err).toBeUndefined(); + assertExecutedCommands(...task); + }); + it.each([ ['clone', '-u touch /tmp/pwn'], ['cmd', '--upload-pack=touch /tmp/pwn0'],
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257nvdPatchWEB
- www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-r275-fr43-pm7qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28292ghsaADVISORY
- github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7qnvdWEB
- www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292nvdWEB
News mentions
0No linked articles in our index yet.