simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is likely to affect all versions prior to and including 3.28.0.
This vulnerability was introduced by an incorrect patch for CVE-2022-25860.
It was reproduced in the following environment:
WSL Docker
node: v22.19.0
git: git version 2.39.5
simple-git: 3.28.0
The issue was not reproduced on Windows 11.
The -u option, like --upload-pack, allows a command to be executed.
Currently, the -u and --upload-pack options are blocked in the file simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts.
function preventUploadPack(arg: string, method: string) {
if (/^\s*--(upload|receive)-pack/.test(arg)) {
throw new GitPluginError(
undefined,
'unsafe',
`Use of --upload-pack or --receive-pack is not permitted without enabling allowUnsafePack`
);
}
if (method === 'clone' && /^\s*-u\b/.test(arg)) {
throw new GitPluginError(
undefined,
'unsafe',
`Use of clone with option -u is not permitted without enabling allowUnsafePack`
);
}
if (method === 'push' && /^\s*--exec\b/.test(arg)) {
throw new GitPluginError(
undefined,
'unsafe',
`Use of push with option --exec is not permitted without enabling allowUnsafePack`
);
}
}
However, the problem is that command option parsing is quite flexible.
By brute forcing, I found various options that bypass the -u check.
[
'--u', '--u',
'-4u', '-6u',
'-lu', '-nu',
'-qu',...
3.32.0Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:HI:HA:H8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H