CVE-2022-25860 in simple-gitinfo

Summary

by MITRE • 01/26/2023

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/25/2026

The vulnerability identified as CVE-2022-25860 affects the simple-git package, a popular node.js library for executing git commands programmatically. This issue represents a critical remote code execution flaw that can be exploited by attackers to execute arbitrary code on systems running vulnerable applications. The vulnerability specifically impacts versions prior to 3.16.0 and manifests through several core git operations including clone, pull, push, and listRemote methods. The security risk emerges from inadequate input sanitization practices that fail to properly validate and sanitize user-provided data before processing git commands, creating a pathway for malicious input to be interpreted as system commands.

The technical flaw stems from improper handling of command-line arguments and repository URLs within the git operations. When users provide input to these methods, the library fails to adequately escape or validate special characters that could be interpreted by the underlying shell or git command processor. This incomplete input sanitization allows attackers to inject malicious commands that get executed with the privileges of the process running the simple-git library. The vulnerability is particularly dangerous because git operations are commonly used in automated deployment pipelines, continuous integration systems, and web applications where user input may be processed without proper validation. The issue represents a regression where a previous fix for CVE-2022-25912 was deemed insufficient, leaving the library exposed to similar attack vectors through different code paths.

The operational impact of this vulnerability is severe and far-reaching across various deployment scenarios. Attackers can exploit this flaw in web applications that use simple-git for repository management, automated build systems that process user-provided repository URLs, or any system that accepts git repository inputs from untrusted sources. The vulnerability enables full system compromise when exploited, allowing attackers to execute arbitrary commands, access sensitive data, modify code repositories, or establish persistent access to affected systems. Given that simple-git is widely used in node.js applications, the potential attack surface is extensive, affecting everything from development environments to production servers. The vulnerability is particularly concerning in containerized environments or cloud deployments where the execution context may provide elevated privileges.

Security mitigations for CVE-2022-25860 primarily involve upgrading to version 3.16.0 or later of the simple-git package, which contains the necessary input sanitization fixes. Organizations should conduct comprehensive vulnerability assessments to identify all applications using affected versions of the library and prioritize immediate patching of critical systems. Additional protective measures include implementing strict input validation at application layers, using parameterized git operations where possible, and employing network segmentation to limit exposure. The vulnerability aligns with CWE-78, which describes improper neutralization of special elements used in OS commands, and maps to ATT&CK technique T1059.001 for command and script interpreter execution. Organizations should also consider implementing runtime monitoring and logging of git operations to detect potential exploitation attempts, as well as establishing secure coding practices that emphasize input validation and command injection prevention in all system components that interact with external command-line tools.

Responsible

Snyk

Reservation

02/24/2022

Disclosure

01/26/2023

Moderation

accepted

CPE

ready

EPSS

0.02712

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!