Vulnerability Description
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Simple-Git Project | Simple-Git | < 3.16.0 |
Related Weaknesses (CWE)
References
- https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc19PatchThird Party Advisory
- https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a65PatchThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391ExploitThird Party Advisory
- https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc19PatchThird Party Advisory
- https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a65PatchThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391ExploitThird Party Advisory
FAQ
What is CVE-2022-25860?
CVE-2022-25860 is a vulnerability with a CVSS score of 8.1 (HIGH). Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulner...
How severe is CVE-2022-25860?
CVE-2022-25860 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25860?
Check the references section above for vendor advisories and patch information. Affected products include: Simple-Git Project Simple-Git.