CVE-2026-28292: CVE-2026-28292: Remote Code Execution via Regex Case Sensitivity Bypass in simple-git

CVE-2026-28292: Remote Code Execution via Regex Case Sensitivity Bypass in simple-git

Vulnerability ID: CVE-2026-28292
CVSS Score: 9.8
Published: 2026-03-10

The simple-git Node.js library versions 3.15.0 through 3.32.2 are vulnerable to unauthenticated Remote Code Execution (RCE). A flaw in the blockUnsafeOperationsPlugin allows attackers to bypass security controls by supplying configuration keys with mixed or uppercase characters. This configuration bypass permits the use of the ext:: protocol, which Git executes as an OS command, leading to complete system compromise.

TL;DR

A case-sensitivity flaw in simple-git's security regex allows attackers to pass dangerous git configuration options, leading to arbitrary Remote Code Execution via the ext:: protocol.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: OS Command Injection
• Attack Vector: Network
• Authentication: None Required
• CVSS v3.1 Score: 9.8 (Critical)
• Exploit Status: Proof of Concept (PoC) Available
• CWE IDs: CWE-78, CWE-178
• Fixed Version: 3.32.3

Affected Systems

• simple-git
• simple-git: >= 3.15.0, <= 3.32.2 (Fixed in: 3.32.3)

Code Analysis

Commit: f704208

Fix regex case sensitivity in blockUnsafeOperationsPlugin to prevent protocol.allow bypass

- if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {
+ if (!/^\s*protocol(.[a-z]+)?.allow/i.test(next)) {

Exploit Details

• CodeAnt AI Security Research: Conceptual proof of concept exploiting the PROTOCOL.ALLOW case bypass to execute an ext:: protocol payload.

Mitigation Strategies

• Upgrade simple-git to version 3.32.3 or higher
• Sanitize all user inputs passed to Git command arrays
• Avoid using git.raw() with user-controlled arrays

Remediation Steps:

1. Identify all package dependencies on simple-git via package manager audits.
2. Update package.json to require simple-git version >= 3.32.3.
3. Execute npm install, yarn upgrade, or pnpm install to apply changes.
4. Audit application source code to ensure user input is strictly validated before being passed to git.raw(), git.clone(), or other git operations.
5. Deploy input validation logic to explicitly reject git configuration flags (-c) from untrusted sources.

References

• Fix Commit in git-js Repository
• CodeAnt AI Security Advisory
• CVE-2026-28292 Record

---

Read the full report for CVE-2026-28292 on our website for more details including interactive diagrams and full exploit analysis.