CVE-2022-25912

critical

Description

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).

References

Advisories
More

https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0

https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504

https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532

https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols

Details

Source: Mitre, NVD

Published: 2022-12-06

Updated: 2025-04-22

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.38025