Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JS-SIMPLEGIT-3112221
- published 5 Dec 2022
- disclosed 10 Nov 2022
- credit Sam Wheating
How to fix?
simple-git to version 3.15.0 or higher.
simple-git is a light weight interface for running git commands in any node.js application.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) when enabling the
ext transport protocol, which makes it exploitable via
This vulnerability exists due to an incomplete fix of CVE-2022-24066.
const simpleGit = require('simple-git') const git2 = simpleGit() git2.clone('ext::sh -c touch% /tmp/pwn% >&2', '/tmp/example-new-repo', ["-c", "protocol.ext.allow=always"]);