DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28291: CVE-2026-28291: Command Execution via Option-Parsing Bypass in simple-git

#security #cve #cybersecurity

CVE-2026-28291: Command Execution via Option-Parsing Bypass in simple-git

Vulnerability ID: CVE-2026-28291
CVSS Score: 8.1
Published: 2026-04-13

CVE-2026-28291 is a high-severity OS command injection vulnerability in the simple-git (git-js) library, resulting from an incomplete remediation of CVE-2022-25860. The vulnerability allows attackers to bypass regex-based security filters using Git's short-option bundling, leading to arbitrary command execution on the host system.

TL;DR

A flaw in simple-git < 3.32.0 allows arbitrary code execution via Git short-option bundling (e.g., -vu), bypassing regex-based security filters designed to block dangerous options like -u.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78
  • Attack Vector: Network
  • CVSS Score: 8.1
  • Impact: High (Remote Code Execution)
  • Exploit Status: Proof of Concept
  • CISA KEV: False

Affected Systems

  • Node.js applications utilizing the simple-git library
  • CI/CD pipelines and deployment scripts relying on git-js for repository management
  • git-js (simple-git): < 3.32.0 (Fixed in: 3.32.0)

Code Analysis

Commit: 789c13e

Preliminary analysis of bypasses and potential fixes in block-unsafe-operations-plugin.ts

Mitigation Strategies

  • Upgrade the simple-git package to version 3.32.0 or later.
  • Implement strict input validation using allowlists for any user-supplied data interacting with simple-git.
  • Reject any user-supplied string beginning with a hyphen before it reaches the simple-git argument array.
  • Require explicit opt-in via the allowUnsafePack configuration if dangerous options are strictly necessary.

Remediation Steps:

  1. Identify all projects depending on the simple-git library using dependency scanning tools.
  2. Update the package.json to require simple-git version 3.32.0 or higher.
  3. Run npm install or yarn install to lock the updated dependency.
  4. Audit application source code to ensure user input is strictly validated before being passed to library methods like clone, fetch, or push.
  5. Deploy the updated application to staging environments, verify functionality, and promote to production.

References

Read the full report for CVE-2026-28291 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)