← back
CVE-2026-28292

simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key that enables RCE

CVSS 9.8 CRITICALEPSS 1.3%CWE-178CWE-78
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
steveukx · simple-git
public PoCs found1
cve_referencewww.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7qhttps://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292