Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affecting simple-git package, versions <3.5.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JS-SIMPLEGIT-2434306
- published 29 Mar 2022
- disclosed 28 Mar 2022
- credit Liran Tal of Snyk
How to fix?
simple-git to version 3.5.0 or higher.
simple-git is a light weight interface for running git commands in any node.js application.
Affected versions of this package are vulnerable to Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') due to an incomplete fix of CVE-2022-24433 which only patches against the
git fetch attack vector.
A similar use of the
--upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
const simpleGit = require('simple-git') const git2 = simpleGit() git2.clone('file:///tmp/zero123', '/tmp/example-new-repo', ['--upload-pack=touch /tmp/pwn']);