CVE-2026-28292:

Overview

A critical security vulnerability has been discovered in simple-git, a popular npm package used to run Git commands from within Node.js applications. This flaw, tracked as CVE-2026-28292, allows an attacker to bypass previous security fixes and execute arbitrary code on the host server. The vulnerability is present in versions 3.15.0 through 3.32.2.

Vulnerability Details

In simple terms, this vulnerability exists because the fixes for two prior critical flaws (CVE-2022-25860 and CVE-2022-25912) were incomplete. An attacker can craft malicious input that tricks the simple-git library into executing operating system commands instead of just Git commands. This typically occurs when the library processes user-controlled input, such as repository URLs or branch names fetched from an external source.

Impact and Severity

This is a Critical-severity vulnerability with a CVSS score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The impact is severe:

• Full Remote Code Execution (RCE): An unauthenticated remote attacker can run any command on the server hosting the vulnerable application.
• Complete System Compromise: This can lead to data theft, installation of malware, service disruption, or use of the server as a foothold for further attacks within your network.
• Widespread Risk: Given simple-git’s popularity in automation scripts, CI/CD pipelines, and backend services, many applications could be exposed.

For context on how such vulnerabilities lead to real-world incidents, recent data breach reports are available at breach reports.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Fix: Update the Package The only complete remediation is to upgrade simple-git to version 3.23.0 or later. Version 3.23.0 contains the corrected fix.

• Command: Run npm update simple-git or yarn upgrade simple-git in your project directory.
• Verify: Confirm your package.json now references version ^3.23.0 or higher.

Temporary Mitigation (If Immediate Update is Impossible):

1. Input Sanitization: Rigorously validate and sanitize all user inputs passed to simple-git functions, especially repository URLs and branch names. Treat them as untrusted.
2. Network Controls: Restrict network access to applications using simple-git to only necessary sources.
3. Principle of Least Privilege: Ensure the Node.js process runs with the minimum system permissions required.

Action Steps:

1. Inventory all your applications and services that use the simple-git npm package.
2. Check the installed version immediately.
3. Plan and execute updates to version 3.23.0 or newer as a high-priority task.
4. Review application logs for any suspicious activity prior to patching.

Stay informed on emerging threats by following the latest security news. Do not delay in applying this patch, as exploitation of this vulnerability can lead to a significant security incident.