CVE-2026-28291
Received Received - Intake
Command Injection in simple-git via Git Option Bypass

Publication date: 2026-04-13

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28291
EUVD
EUVD-2026-22026
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
simple_git simple_git to 3.31.1 (inc)
simple_git simple_git 3.32.0
steveukx simple-git to 3.28.0 (inc)
steveukx simple-git to 3.31.1 (inc)
steveukx simple-git 3.32.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-28291 vulnerability allows remote attackers to execute arbitrary OS commands via crafted Git options, resulting in high impact on confidentiality, integrity, and availability of affected systems.

Such a vulnerability could potentially lead to unauthorized access or manipulation of sensitive data, which may affect compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality and integrity.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Executive Summary

CVE-2026-28291 is a high-severity command execution vulnerability in the simple-git JavaScript library, which allows running native Git commands. Versions up to and including 3.31.1 (notably including 3.28.0) have a flaw where unsafe Git command options like -u and --upload-pack, which are meant to be blocked, can be bypassed due to Git's flexible option parsing.

The vulnerability arises because simple-git's blocking mechanism uses regular expressions to filter out unsafe options, but Git accepts many alternative option formats (e.g., -vu, -4u, -nu) that bypass these regex checks. This allows attackers to execute arbitrary OS commands by crafting Git options that circumvent the safety checks.

The issue is a result of an incomplete fix for a previous vulnerability (CVE-2022-25860) and is difficult to fully mitigate without replicating Git's complex option parsing logic. The vulnerability was fixed in simple-git version 3.32.0.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary operating system commands on systems using vulnerable versions of simple-git by exploiting the flexible Git option parsing to bypass safety checks.

The CVSS 3.1 base score is 8.1 (High), indicating a serious impact with the following characteristics: network exploitable, high attack complexity, no privileges or user interaction required, and resulting in high confidentiality, integrity, and availability impact.

Successful exploitation could lead to unauthorized command execution, potentially compromising system data, integrity, and availability.

Detection Guidance

This vulnerability can be detected by monitoring for execution of Git commands that include suspicious or unusual option combinations that bypass the blocking mechanism in simple-git. Specifically, options such as -vu, -4u, -6u, -lu, -nu, -qu, -su, and -vu are known to bypass the safety checks and allow arbitrary command execution.

A practical detection approach is to audit or log Git commands invoked via simple-git, especially those containing the letter 'u' combined with other single-character options. You can also check for unexpected file creations or command executions triggered by these options, such as the creation of files like /tmp/pwned in test scenarios.

While no specific detection commands are provided, you can use system monitoring tools to detect suspicious Git command invocations or unexpected side effects. For example, on Linux systems, you might use commands like:

  • ps aux | grep git
  • auditd or inotifywait to monitor file system changes (e.g., unexpected file creations)
  • grep for suspicious Git command arguments in logs or command histories

Additionally, reviewing usage of simple-git versions prior to 3.32.0 and checking for the presence of the unsafe options plugin can help identify vulnerable environments.

Mitigation Strategies

The primary and most effective mitigation is to upgrade simple-git to version 3.32.0 or later, where the vulnerability has been fixed by improving the unsafe operations plugin to block additional bypass scenarios.

If upgrading is not immediately possible, you should disable unsafe Git options by ensuring that the configuration option `allowUnsafePack` is set to false, preventing usage of options like -u and --upload-pack. However, due to Git's flexible option parsing, this may not fully prevent bypasses.

Monitoring and restricting the execution environment to limit the ability of attackers to run arbitrary commands via Git options is also recommended.

In summary, immediate steps include:

  • Upgrade simple-git to version 3.32.0 or later.
  • Ensure `allowUnsafePack` is disabled (set to false) in simple-git configuration.
  • Monitor and audit Git command usage for suspicious option patterns.
  • Restrict permissions and execution environments to minimize impact.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28291. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart