A vulnerability was discovered in the simple-git Node.js library. The issue is caused by improper validation of user-supplied input when constructing Git commands. An attacker able to supply specially crafted repository URLs or arguments could exploit Git’s ext:: protocol handler to execute arbitrary commands on the underlying system. This flaw bypasses earlier mitigations intended to restrict unsafe Git protocols. By injecting configuration options that re-enable the ext:: protocol, an attacker could cause the application to execute arbitrary external commands through the Git client. If a vulnerable application passes untrusted input to simple-git operations such as repository cloning or fetching, a remote attacker could exploit this flaw to execute arbitrary commands on the host system with the privileges of the application process.

`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE