CVE-2022-25860
Remote Code Execution vulnerability in simple-git (npm)
What is CVE-2022-25860 About?
Versions of the 'simple-git' package prior to 3.16.0 are vulnerable to Remote Code Execution (RCE) through multiple methods like `clone()`, `pull()`, `push()`, and `listRemote()`. This is due to insufficient input sanitization, allowing attackers to execute arbitrary commands by injecting malicious input. This is a critical vulnerability that is moderately easy to exploit.
Affected Software
Technical Details
This vulnerability in 'simple-git' (before version 3.16.0) is another instance of an incomplete fix, specifically for CVE-2022-25912. It arises from improper input sanitization across several core methods: clone(), pull(), push(), and listRemote(). These methods execute underlying Git commands and if user-supplied input (e.g., repository URLs, branch names, remote names) is not properly sanitized or escaped, an attacker can inject shell metacharacters or commands. When these methods are called with the malicious input, the 'simple-git' library passes it directly to the underlying shell, leading to the execution of arbitrary commands on the system where the 'simple-git' application is running.
What is the Impact of CVE-2022-25860?
Successful exploitation may allow attackers to execute arbitrary code on the host system with the privileges of the running application, leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2022-25860?
Exploitation can occur remotely by providing maliciously crafted input to functions like clone(), pull(), push(), or listRemote(). The attacker does not require authentication or elevated privileges to achieve initial compromise, only the ability to supply input to these 'simple-git' methods. The complexity is moderate, as it requires crafting specific payloads that exploit the lack of input sanitization to inject shell commands. The vulnerability is highly impactful due to resulting in RCE. Risk factors include applications that accept user-controlled strings for repository URLs, branch names, or remote names without robust validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25860?
Available Upgrade Options
- simple-git
- <3.16.0 → Upgrade to 3.16.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
- https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
- https://osv.dev/vulnerability/GHSA-9w5j-4mwv-2wj8
- https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
- https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
- https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
- https://nvd.nist.gov/vuln/detail/CVE-2022-25860
What are Similar Vulnerabilities to CVE-2022-25860?
Similar Vulnerabilities: CVE-2022-25912 , CVE-2022-24066 , CVE-2021-21315 , CVE-2021-21316 , CVE-2021-21317
