{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28291", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.735Z", "datePublished": "2026-04-13T17:15:14.594Z", "dateUpdated": "2026-04-14T16:30:34.266Z"}, "containers": {"cna": {"title": "simple-git has Command Execution via Option-Parsing Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"}, {"name": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d", "tags": ["x_refsource_MISC"], "url": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d"}, {"name": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26", "tags": ["x_refsource_MISC"], "url": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26"}, {"name": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0"}, {"name": "https://www.cve.org/CVERecord?id=CVE-2022-25860", "tags": ["x_refsource_MISC"], "url": "https://www.cve.org/CVERecord?id=CVE-2022-25860"}], "affected": [{"vendor": "steveukx", "product": "git-js", "versions": [{"version": "< 3.32.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T16:30:34.266Z"}, "descriptions": [{"lang": "en", "value": "simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0."}], "source": {"advisory": "GHSA-jcxm-m3jx-f287", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:53:36.631739Z", "id": "CVE-2026-28291", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:53:41.169Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28291", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T13:53:36.631739Z"}}}], "references": [{"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:53:28.645Z"}}], "cna": {"title": "simple-git has Command Execution via Option-Parsing Bypass", "source": {"advisory": "GHSA-jcxm-m3jx-f287", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "steveukx", "product": "git-js", "versions": [{"status": "affected", "version": "< 3.32.0"}]}], "references": [{"url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287", "name": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d", "name": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26", "name": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0", "name": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0", "tags": ["x_refsource_MISC"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2022-25860", "name": "https://www.cve.org/CVERecord?id=CVE-2022-25860", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T16:30:34.266Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28291", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:30:34.266Z", "dateReserved": "2026-02-26T01:52:58.735Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T17:15:14.594Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0."}], "id": "CVE-2026-28291", "lastModified": "2026-04-14T17:16:48.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T18:16:28.760", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26"}, {"source": "security-advisories@github.com", "url": "https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d"}, {"source": "security-advisories@github.com", "url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"}, {"source": "security-advisories@github.com", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25860"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "simple-git: simple-git: Command Execution via Option-Parsing Bypass in simple-git", "id": "2457930", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457930"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in simple-git, a JavaScript library for running native Git commands. An attacker could exploit this vulnerability by manipulating Git options, bypassing existing safety checks. This incomplete fix for a previous vulnerability allows for the execution of arbitrary commands, leading to potential system compromise."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-28291", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "simple-git", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "simple-git", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "simple-git", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "simple-git", "product_name": "Red Hat Process Automation 7"}], "public_date": "2026-04-13T17:15:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28291\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28291\nhttps://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26\nhttps://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0\nhttps://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287\nhttps://www.cve.org/CVERecord?id=CVE-2022-25860"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.32.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "git-js", "source": "cna", "vendor": "steveukx"}, "product": "git-js", "vendor": "steveukx"}], "analysis": {"en": {"generated_at": "2026-04-13T18:21:28.191099+00:00", "value": {"mitigation_remediation": ["Upgrade simple-git to version 3.32.0 or later.", "If an upgrade is not yet feasible, remove or disable the unsafe operations plugin and ensure no user-supplied options reach Git commands.", "Sanitize all Git options passed to simple-git, rejecting any that contain characters or patterns associated with unsafe operations.", "Monitor application logs for unexpected command executions and audit code paths that invoke simple-git."], "summary": {"action": "Immediate Patch", "impact": "Command Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the simple-git library distributed by steveukx under the git-js project. Versions up to and including 3.31.1 are impacted, while version 3.32.0 and later contain the fix. Applications that rely on simple-git for remote Git interactions or local repository management are at risk if they use an affected version.", "description_and_impact": "simple-git allows the execution of arbitrary commands by manipulating Git options that bypass the plugin designed to block unsafe operations. The flaw lies in an incomplete expurgation of option strings, letting attackers craft variants such as -vu or -nu that slip past a regular expression blocklist. This constitutes an OS command injection weakness (CWE-78). The impact is that any code executing through simple-git can run arbitrary shell commands, potentially compromising the host system where the Node.js application runs.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, reflecting that successful exploitation would provide full command execution. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no widespread known exploitation yet. Attackers would need the ability to influence or inject Git options into the simple-git call; this is typically possible when the application processes untrusted data that is passed to git commands."}}}}, "created": "2026-04-14T16:18:42.563694+00:00", "updated": "2026-04-14T16:33:50.573950+00:00", "vendors": ["steveukx", "steveukx$PRODUCT$git-js"]}