CVE-2026-28291
Command Injection in simple-git via Git Option Bypass
Publication date: 2026-04-13
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simple_git | simple_git | to 3.31.1 (inc) |
| simple_git | simple_git | 3.32.0 |
| steveukx | simple-git | to 3.28.0 (inc) |
| steveukx | simple-git | to 3.31.1 (inc) |
| steveukx | simple-git | 3.32.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28291 is a high-severity command execution vulnerability in the simple-git JavaScript library, which allows running native Git commands. Versions up to and including 3.31.1 (notably including 3.28.0) have a flaw where unsafe Git command options like -u and --upload-pack, which are meant to be blocked, can be bypassed due to Git's flexible option parsing.
The vulnerability arises because simple-git's blocking mechanism uses regular expressions to filter out unsafe options, but Git accepts many alternative option formats (e.g., -vu, -4u, -nu) that bypass these regex checks. This allows attackers to execute arbitrary OS commands by crafting Git options that circumvent the safety checks.
The issue is a result of an incomplete fix for a previous vulnerability (CVE-2022-25860) and is difficult to fully mitigate without replicating Git's complex option parsing logic. The vulnerability was fixed in simple-git version 3.32.0.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary operating system commands on systems using vulnerable versions of simple-git by exploiting the flexible Git option parsing to bypass safety checks.
The CVSS 3.1 base score is 8.1 (High), indicating a serious impact with the following characteristics: network exploitable, high attack complexity, no privileges or user interaction required, and resulting in high confidentiality, integrity, and availability impact.
Successful exploitation could lead to unauthorized command execution, potentially compromising system data, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for execution of Git commands that include suspicious or unusual option combinations that bypass the blocking mechanism in simple-git. Specifically, options such as -vu, -4u, -6u, -lu, -nu, -qu, -su, and -vu are known to bypass the safety checks and allow arbitrary command execution.
A practical detection approach is to audit or log Git commands invoked via simple-git, especially those containing the letter 'u' combined with other single-character options. You can also check for unexpected file creations or command executions triggered by these options, such as the creation of files like /tmp/pwned in test scenarios.
While no specific detection commands are provided, you can use system monitoring tools to detect suspicious Git command invocations or unexpected side effects. For example, on Linux systems, you might use commands like:
- ps aux | grep git
- auditd or inotifywait to monitor file system changes (e.g., unexpected file creations)
- grep for suspicious Git command arguments in logs or command histories
Additionally, reviewing usage of simple-git versions prior to 3.32.0 and checking for the presence of the unsafe options plugin can help identify vulnerable environments.
What immediate steps should I take to mitigate this vulnerability?
The primary and most effective mitigation is to upgrade simple-git to version 3.32.0 or later, where the vulnerability has been fixed by improving the unsafe operations plugin to block additional bypass scenarios.
If upgrading is not immediately possible, you should disable unsafe Git options by ensuring that the configuration option `allowUnsafePack` is set to false, preventing usage of options like -u and --upload-pack. However, due to Git's flexible option parsing, this may not fully prevent bypasses.
Monitoring and restricting the execution environment to limit the ability of attackers to run arbitrary commands via Git options is also recommended.
In summary, immediate steps include:
- Upgrade simple-git to version 3.32.0 or later.
- Ensure `allowUnsafePack` is disabled (set to false) in simple-git configuration.
- Monitor and audit Git command usage for suspicious option patterns.
- Restrict permissions and execution environments to minimize impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-28291 vulnerability allows remote attackers to execute arbitrary OS commands via crafted Git options, resulting in high impact on confidentiality, integrity, and availability of affected systems.
Such a vulnerability could potentially lead to unauthorized access or manipulation of sensitive data, which may affect compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality and integrity.
However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.