Command injection in simple-git
High severity
GitHub Reviewed
Published
Apr 2, 2022
to the GitHub Advisory Database
•
Updated Aug 17, 2023
Description
Published by the National Vulnerability Database
Apr 1, 2022
Published to the GitHub Advisory Database
Apr 2, 2022
Reviewed
Apr 4, 2022
Last updated
Aug 17, 2023
simple-git
(maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in simple-git@3.5.0.References