Executive Summary

CVE-2026-6951 is a Remote Code Execution (RCE) vulnerability in the simple-git npm package versions before 3.36.0. It arises because an incomplete fix for a previous vulnerability (CVE-2022-25912) blocked the use of the `-c` option but did not block the equivalent `--config` option. This allows an attacker to pass untrusted input to the options argument of simple-git's clone function.

By enabling the Git configuration `protocol.ext.allow=always` via the `--config` option and using an `ext::` clone source, an attacker can execute arbitrary shell commands on the host system running the Node.js process.

A proof-of-concept demonstrates this by cloning a repository with a command that executes shell commands, such as creating a file on the target system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary code on the host system running the vulnerable simple-git package without requiring any privileges or user interaction.

If an application uses simple-git and passes attacker-controlled input to the options parameter of the clone function, the attacker can run arbitrary shell commands, potentially compromising the entire system.

The impact includes full compromise of confidentiality, integrity, and availability of the affected system, as indicated by the high CVSS scores (v3.1 base score 9.8).

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves scanning for unsafe usage of Git configuration keys and environment variables that could be exploited by CVE-2026-6951.

Specifically, the vulnerability can be detected by checking if the simple-git package is used with untrusted input passed to the options argument, especially if the --config option is used to enable protocol.ext.allow=always.

There is no direct network command provided, but reviewing usage of simple-git clone commands with the --config option and scanning environment variables such as GIT_CONFIG_COUNT and core.fsmonitor related variables can help identify potential exploitation attempts.

Additionally, the updated simple-git library includes enhanced filtering and scanning mechanisms to detect unsafe Git configuration operations and environment variables, which can be used as part of vulnerability checks.

A practical approach is to audit your codebase or logs for commands similar to the proof-of-concept usage: invoking simple-git clone with the --config option set to protocol.ext.allow=always and an ext:: clone source.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the simple-git package to version 3.36.0 or later, where the vulnerability is fixed by properly blocking the --config option to prevent exploitation.

Until the upgrade is applied, avoid passing untrusted input to the options argument of simple-git's clone function, especially any usage of the --config option that enables protocol.ext.allow=always.

Review and restrict environment variables related to Git configuration such as GIT_CONFIG_COUNT and core.fsmonitor to reduce the risk of environment-based attacks.

Audit your code and dependencies to ensure that no unsafe Git configuration keys or environment variables are used that could be exploited.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not include any details on how CVE-2026-6951 affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0