CVE-2022-25912
Remote Code Execution vulnerability in simple-git (npm)
What is CVE-2022-25912 About?
The 'simple-git' package is vulnerable to Remote Code Execution (RCE) when the 'ext' transport protocol is enabled and used with the `clone()` method. This allows arbitrary command execution through specially crafted repository URLs, making it a critical and exploitable flaw.
Affected Software
Technical Details
This vulnerability in the 'simple-git' package (prior to version 3.15.0) re-emerges due to an incomplete fix for CVE-2022-24066. Specifically, when the 'ext' transport protocol is explicitly enabled within 'simple-git' configurations, an attacker can leverage this by providing a malicious repository URL to the clone() method. The 'ext' protocol allows the execution of external commands during the Git operation. If input sanitization is insufficient, an attacker can inject arbitrary shell commands within the URL or other provided parameters, which are then executed by the underlying Git client via the 'simple-git' wrapper. This results in remote code execution on the system running the 'simple-git' application.
What is the Impact of CVE-2022-25912?
Successful exploitation may allow attackers to execute arbitrary code on the host system with the privileges of the running application, leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2022-25912?
Exploitation requires the 'ext' transport protocol to be explicitly enabled in the 'simple-git' configuration, which is not the default. If enabled, an attacker can trigger the vulnerability remotely by providing a malicious Git repository URL to the clone() method. No authentication or specific privileges beyond the ability to initiate a clone() operation (e.g., through user input in a web application) are necessary. The complexity is moderate, as it requires crafting a specific URL payload that bypasses input sanitization. The risk of exploitation is high if vulnerable configurations are present, as it leads directly to remote code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25912?
Available Upgrade Options
- simple-git
- <3.15.0 → Upgrade to 3.15.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
- https://nvd.nist.gov/vuln/detail/CVE-2022-25912
- https://github.com/steveukx/git-js
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
- https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
- https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
- https://osv.dev/vulnerability/GHSA-9p95-fxvg-qgq2
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
What are Similar Vulnerabilities to CVE-2022-25912?
Similar Vulnerabilities: CVE-2022-24066 , CVE-2022-25860 , CVE-2021-21315 , CVE-2021-21316 , CVE-2021-21317
