CVE-2022-25912 Overview
CVE-2022-25912 is a Remote Code Execution (RCE) vulnerability affecting the simple-git package for Node.js. The vulnerability exists in versions prior to 3.15.0 and can be exploited when the ext transport protocol is enabled, making it exploitable via the clone() method. This security flaw represents an incomplete fix of a previously disclosed vulnerability (CVE-2022-24066), highlighting the challenges of comprehensive security patching.
Critical Impact
Attackers can achieve remote code execution on systems using vulnerable versions of simple-git by exploiting the ext transport protocol through the clone() method, potentially leading to complete system compromise.
Affected Products
- simple-git versions prior to 3.15.0 (Node.js)
- Applications and services using simple-git as a dependency
- Java applications via WebJars npm package (org.webjars.npm:simple-git)
Discovery Timeline
- December 6, 2022 - CVE-2022-25912 published to NVD
- April 22, 2025 - Last updated in NVD database
Technical Details for CVE-2022-25912
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw resides in how the simple-git library handles the ext transport protocol. When this protocol is enabled, user-controlled input passed to the clone() method can be manipulated to inject and execute arbitrary system commands.
The vulnerability emerged as an incomplete remediation of CVE-2022-24066, indicating that the original patch did not fully address all attack vectors. This pattern of incomplete fixes often occurs when security researchers or developers fail to identify all potential exploitation paths during the initial remediation effort.
Root Cause
The root cause of this vulnerability stems from insufficient input validation and sanitization when processing git URLs with the ext transport protocol. The ext protocol in Git allows specifying an external command to be used for the connection, which creates an opportunity for command injection if not properly restricted.
When applications using simple-git accept user-provided repository URLs and pass them to the clone() method without adequate validation, attackers can craft malicious URLs that leverage the ext protocol to execute arbitrary commands on the underlying system. The original fix for CVE-2022-24066 failed to account for all possible input permutations that could bypass the sanitization logic.
Attack Vector
The attack leverages the network-accessible nature of the vulnerability. An attacker can exploit this flaw remotely without requiring any authentication or user interaction. The attack flow typically involves:
- An application using a vulnerable version of simple-git accepts a repository URL from an untrusted source
- The attacker provides a specially crafted URL utilizing the ext protocol
- When the clone() method processes this URL, the embedded commands are executed on the server
- The attacker achieves code execution with the privileges of the Node.js process
The security patches applied in version 3.15.0 included changes to configuration handling and protocol restrictions. Below is the relevant patch from the security fix:
-node_modules
+*.md
+.changeset
dist
-CHANGELOG.md
+coverage
+node_modules
Source: GitHub Commit Update
Additional configuration changes were made to the project structure:
"license": "MIT"
}
},
- "ignoreChanges": [
- "**/test/**",
- "**/*.md"
- ],
+ "ignoreChanges": ["**/test/**", "**/*.md"],
"useWorkspaces": true,
"version": "2.48.0"
}
Source: GitHub Commit Update
Detection Methods for CVE-2022-25912
Indicators of Compromise
- Unusual process spawning from Node.js applications, particularly git-related subprocesses with suspicious command-line arguments
- Network connections to unexpected external hosts originating from applications using simple-git
- Log entries showing git clone operations with ext:: protocol URLs
- Unexpected file system modifications in directories accessible to Node.js processes
Detection Strategies
- Implement software composition analysis (SCA) to identify vulnerable versions of simple-git in your dependency tree
- Monitor application logs for git operations containing ext:: protocol references
- Use runtime application self-protection (RASP) solutions to detect command injection attempts
- Deploy network traffic analysis to identify suspicious git clone operations to untrusted repositories
Monitoring Recommendations
- Enable verbose logging for applications using simple-git to capture all git operations
- Implement alerting for any use of non-standard git protocols (ext, file, etc.)
- Monitor system process trees for unexpected child processes spawned by Node.js applications
- Audit npm package installations and updates to ensure vulnerable versions are not deployed
How to Mitigate CVE-2022-25912
Immediate Actions Required
- Upgrade simple-git to version 3.15.0 or later immediately across all environments
- Audit all applications using simple-git to identify potential exposure points
- Review and restrict the protocols allowed by your simple-git configuration using the unsafe actions plugin
- Implement input validation to reject any user-provided URLs containing the ext:: protocol prefix
Patch Information
The vulnerability is addressed in simple-git version 3.15.0. The fix implements proper restrictions on the ext transport protocol to prevent command injection through the clone() method. Organizations should update their package dependencies using their standard package management workflow. The patch commit can be reviewed at the GitHub Commit Update. Additional details about managing unsafe actions and protocol restrictions are available in the GitHub Plugin Unsafe Actions Guide.
Workarounds
- Disable the ext transport protocol entirely if your application does not require it
- Implement strict URL validation to only allow https:// and git:// protocols for clone operations
- Use a proxy or gateway to sanitize git URLs before they reach the simple-git library
- Run Node.js applications with minimal privileges to limit the impact of successful exploitation
# Configuration example
# Update simple-git to the patched version
npm update simple-git@3.15.0
# Verify the installed version
npm list simple-git
# For yarn users
yarn upgrade simple-git@3.15.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
