CVE-2022-25912 — simple-git vulnerable to Remote Code Execution when enabling the ext transport p

Description

The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).

How to fix CVE-2022-25912

To remediate CVE-2022-25912, upgrade the affected package to a fixed version below.

—upgrade to 3.15.0 or later

Is CVE-2022-25912 being exploited?

Moderate — EPSS is 27.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 3.15.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25912
PATCHgithub.com/steveukx/git-js
WEBgithub.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
WEBgithub.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504