{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28292", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.736Z", "datePublished": "2026-03-10T18:34:21.717Z", "dateUpdated": "2026-04-14T15:30:40.620Z"}, "containers": {"cna": {"title": "simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key that enables RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-178", "lang": "en", "description": "CWE-178: Improper Handling of Case Sensitivity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q"}, {"name": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257", "tags": ["x_refsource_MISC"], "url": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"}, {"name": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292", "tags": ["x_refsource_MISC"], "url": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292"}], "affected": [{"vendor": "steveukx", "product": "simple-git", "versions": [{"version": ">= 3.15.0, < 3.32.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T17:35:45.980Z"}, "descriptions": [{"lang": "en", "value": "`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability."}], "source": {"advisory": "GHSA-r275-fr43-pm7q", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:30:35.861085Z", "id": "CVE-2026-28292", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:30:40.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28292", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:30:35.861085Z"}}}], "references": [{"url": "https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:16:25.324Z"}}], "cna": {"title": "simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key that enables RCE", "source": {"advisory": "GHSA-r275-fr43-pm7q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "steveukx", "product": "simple-git", "versions": [{"status": "affected", "version": ">= 3.15.0, < 3.32.3"}]}], "references": [{"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q", "name": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257", "name": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257", "tags": ["x_refsource_MISC"]}, {"url": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292", "name": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178: Improper Handling of Case Sensitivity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T17:35:45.980Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28292", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:30:40.620Z", "dateReserved": "2026-02-26T01:52:58.736Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T18:34:21.717Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0D5EEE95-320A-4CF3-836E-1CD9D0989ADD", "versionEndExcluding": "3.32.2", "versionStartIncluding": "3.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability."}, {"lang": "es", "value": "simple-git, una interfaz para ejecutar comandos git en cualquier aplicaci\u00f3n node.js, tiene un problema en las versiones 3.15.0 a la 3.32.2 que permite a un atacante eludir dos correcciones CVE previas (CVE-2022-25860 y CVE-2022-25912) y lograr la ejecuci\u00f3n remota de c\u00f3digo completa en la m\u00e1quina anfitriona. La versi\u00f3n 3.23.0 contiene una correcci\u00f3n actualizada para la vulnerabilidad."}], "id": "CVE-2026-28292", "lastModified": "2026-04-14T16:16:38.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T19:17:20.840", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"}, {"source": "security-advisories@github.com", "url": "https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-178"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "simple-git: simple-git: Remote Code Execution via bypass of prior security fixes", "id": "2446162", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446162"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-76", "details": ["A vulnerability was discovered in the simple-git Node.js library. The issue is caused by improper validation of user-supplied input when constructing Git commands. An attacker able to supply specially crafted repository URLs or arguments could exploit Git\u2019s ext:: protocol handler to execute arbitrary commands on the underlying system.\nThis flaw bypasses earlier mitigations intended to restrict unsafe Git protocols. By injecting configuration options that re-enable the ext:: protocol, an attacker could cause the application to execute arbitrary external commands through the Git client.\nIf a vulnerable application passes untrusted input to simple-git operations such as repository cloning or fetching, a remote attacker could exploit this flaw to execute arbitrary commands on the host system with the privileges of the application process."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-28292", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "org.kie-process-migration-service", "product_name": "Red Hat Process Automation 7"}], "public_date": "2026-03-10T18:34:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28292\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28292\nhttps://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257\nhttps://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.15.0,3.32.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "simple-git", "source": "cna", "vendor": "steveukx"}, "product": "simple-git", "vendor": "steveukx"}], "analysis": {"en": {"generated_at": "2026-04-15T15:39:13.322178+00:00", "value": {"mitigation_remediation": ["Upgrade simple\u2011git to version 3.23.0 or later, which removes the vulnerable configuration handling.", "Ensure that the application never uses a protocol.allow key that differs in case from the expected lowercase string; consider removing the key or setting it to false.", "Audit all Git operations performed through simple\u2011git to verify that no external input can craft a malicious protocol.allow value; enforce strict input validation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects steveukx\u2019s simple\u2011git library for Node.js, specifically versions 3.15.0 through 3.32.2. Applications built with these versions and configured with a protocol.allow key that is not strictly lowercase are at risk. Version 3.23.0 contains a fix that eliminates the vulnerability, but any deployment still running an earlier version remains vulnerable.", "description_and_impact": "simple-git, a Node.js library used to run git commands, contains a flaw that allows an attacker to bypass the blockUnsafeOperationsPlugin by exploiting a case\u2011insensitive protocol.allow configuration key. This bypass removes critical safety checks and enables the execution of arbitrary git operations, giving an attacker full remote code execution on the host system. The vulnerability also compromises previous patches for CVE-2022-25860 and CVE-2022-25912.", "risk_and_exploitability": "With a CVSS score of 9.8 this flaw represents a high\u2011severity threat. Although the EPSS score is below 1%\u2014indicating a low probability of exploitation in the wild\u2014the potential impact is catastrophic. Attackers who can provide a malicious configuration or trigger a git operation via the library can execute arbitrary commands on the host. The attack vector is inferred to involve supplying a repository URL or configuration value that the application processes, thereby exploiting the case\u2011insensitive protocol.allow check. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants urgent action."}}}}, "created": "2026-03-11T11:43:56.365363+00:00", "updated": "2026-04-15T17:00:07.004219+00:00", "vendors": ["steveukx", "steveukx$PRODUCT$simple-git"]}