CVE-2022-25860: Remote code execution in simple-git

January 26, 2023 (updated April 1, 2025)

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

References

github.com/advisories/GHSA-9w5j-4mwv-2wj8
github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
nvd.nist.gov/vuln/detail/CVE-2022-25860
security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391

Code Behaviors & Features

Detect and mitigate CVE-2022-25860 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →