simple-git arbitrary command execution (CVE-2026-28291)

Overview

A high-severity command injection vulnerability, tracked as CVE-2026-28291, has been patched in the popular simple-git JavaScript library. This library provides a high-level API for running Git commands from within Node.js applications. The flaw allows an attacker to bypass built-in safety checks and execute arbitrary commands on the host system.

Vulnerability Details

The vulnerability is a bypass of a previous fix for CVE-2022-25860. simple-git includes an “unsafe operations” plugin designed to block dangerous Git command-line options, such as --upload-pack (-u), which could be used to run unintended commands. The blocklist used a regular expression to detect these options.

However, Git’s command-line parser is highly flexible, accepting numerous character combinations for the same option (e.g., -vu, -4u, -nu). An attacker could craft malicious Git arguments that include these dangerous options in a format that evades the blocklist’s pattern matching, leading to the execution of arbitrary system commands.

Impact and Severity

This vulnerability has a CVSS score of 8.1 (High). It is network-exploitable, requires no privileges, and needs no user interaction, making it a significant risk for applications that process untrusted input and use simple-git. A successful exploit could lead to full compromise of the underlying server, data theft, or deployment of ransomware. While not currently listed on CISA’s Known Exploited Vulnerabilities catalog, the potential for abuse is high.

Affected Versions and Remediation

All versions of simple-git up to and including 3.31.1 are vulnerable.

Primary Fix: The only complete remediation is to upgrade simple-git to version 3.32.0 or later. Update your project’s dependencies using your package manager (npm or yarn).

Verification: After updating, verify your package.json file lists "simple-git": "^3.32.0" and that no older versions are present in your node_modules directory. You can run npm list simple-git to check the installed version.

Mitigation (If Patching is Delayed): If immediate updating is impossible, review and sanitize all user inputs that are passed to simple-git functions. However, input validation is error-prone and should not be considered a substitute for applying the official patch.

Security Insight

This vulnerability highlights the inherent risk of blocklist-based security, especially when defending against a complex parser like Git’s. The failure to fully emulate Git’s argument parsing allowed a previous fix to be circumvented, suggesting that similar libraries interfacing with powerful native tools may need to adopt more robust allowlisting or sandboxing strategies. For more on how software flaws can lead to major incidents, review recent breach reports.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs