CVE-2026-6951: simple-git is vulnerable to Remote Code Execution

April 25, 2026 (updated May 5, 2026)

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent –config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

References

gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6
github.com/advisories/GHSA-hffm-xvc3-vprc
github.com/steveukx/git-js
github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8
nvd.nist.gov/vuln/detail/CVE-2026-6951
security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078

Code Behaviors & Features

Detect and mitigate CVE-2026-6951 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →