simple-git patches Git option-parsing bypass enabling command execution
TL;DR — A blocklist-based safety plugin in simple-git can be bypassed via Git option variants, enabling arbitrary command execution when untrusted input can influence Git arguments.
What happened
simple-git is a JavaScript library that enables running native git commands from Node.js, commonly used in developer tooling and automation.
CVE-2026-28291 describes a command execution issue where Git option manipulation can bypass safety checks intended to block dangerous options (including -u and --upload-pack). The CVE attributes the root cause to an incomplete fix for a prior issue (CVE-2022-25860): Git’s flexible option parsing allows many character combinations (examples in the CVE include -vu, -4u, -nu) that can evade a regular-expression-based blocklist in the “unsafe operations” plugin.
| Item | Source value |
|---|---|
| Vulnerability | Command execution via Git option-parsing bypass |
| CWE | CWE-78 OS Command Injection |
| Severity | CVSS v3.1 8.1 (High) |
| CVSS vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected versions (CVE record) | simple-git / git-js versions < 3.32.0 |
| Fix statement (CVE record) | "This issue has been fixed in version 3.32.0." |
This is the same broader failure mode as many “filter/blocklist” defenses in command-execution surfaces: once you delegate parsing/interpretation to a complex downstream tool (here, git), incomplete emulation of that parsing tends to produce bypasses that are hard to fully enumerate.
Who is impacted
- Projects using
simple-git(CVE lists vendorsteveukx, productgit-js) in versions< 3.32.0. - Highest-risk deployments where untrusted input (API parameters, webhook payloads, issue titles/branch names from external repos, multi-tenant automation) can influence Git options/arguments passed through
simple-git. - Platform teams running internal “Git automation” services (release tooling, repo syncers, CI helpers) that expose network-reachable endpoints which eventually call
simple-gitwith attacker-influenced parameters.
Note: The CVE description says “versions up to and including 3.31.1”, while the affected range table in the CVE record marks versions < 3.32.0 as affected; treat anything below 3.32.0 as in-scope unless you have vendor confirmation otherwise.
What to do now
- Follow vendor remediation guidance and apply a release that includes the fix; the CVE record states:
"This issue has been fixed in version 3.32.0."
- Inventory where
simple-gitis used (repos, lockfiles, build containers) and prioritize upgrades for any service that accepts user-controlled input and calls into Git operations. - Review callsites that build Git arguments/options from request data: avoid passing user-controlled strings into option positions; prefer strict allowlists and structured argument construction.
- If you suspect exposure, audit logs/telemetry around Git operations for unexpected option patterns (e.g., unusual short-option groupings) and investigate for follow-on system impact consistent with server-side command execution.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.