CVE-2022-24433: Improper Neutralization of Special Elements used in a Command ('Command Injection')

March 11, 2022 (updated August 8, 2023)

The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

References

github.com/advisories/GHSA-3f95-r44v-8mrg
github.com/steveukx/git-js/pull/767
github.com/steveukx/git-js/releases/tag/simple-git%403.3.0
nvd.nist.gov/vuln/detail/CVE-2022-24433
snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199

Detect and mitigate CVE-2022-24433 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →