CVE-2022-25860 — Remote code execution in simple-git

Description

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

How to fix CVE-2022-25860

To remediate CVE-2022-25860, upgrade the affected package to a fixed version below.

npm/simple-git—upgrade to 3.16.0 or later

Is CVE-2022-25860 being exploited?

Moderate — EPSS is 34.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 3.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25860
WEBgithub.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
WEBgithub.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
WEBsecurity.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391