CVE-2022-25860

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/simple-git

Identifiers

CVE-2022-25860, GHSA-9w5j-4mwv-2wj8

Package Slug

npm/simple-git

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Versions of the package simple-git before 3.16.0 is vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

Affected Versions

All versions before 3.16.0

Solution

Upgrade to version 3.16.0 or above.

Last Modified

2023-01-27

source