AIKIDO-2026-10315
simple-git is vulnerable to Remote Code Execution (RCE)
80
High Risk
This Affects:
simple-gitTL;DR
Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the clone() method due to an incomplete fix for CVE-2022-25860. The vulnerability stems from the unsafe plugin's insufficient detection of the -u (--upload-pack) switch when it is disguised within combined single-character Git clone options. The patch replaces the regex approach with a two-step parser that strips null bytes and leading dashes before validating the remaining token against the set of valid clone short options.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
simple-git is vulnerable to Remote Code Execution (RCE) in versions 0.0.1 - 3.32.1.
How to fix this
Upgrade the simple-git library to to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant