CVE-2026-28292 Overview
CVE-2026-28292 is a critical Command Injection vulnerability affecting simple-git, a popular Node.js interface for running git commands. This vulnerability exists in versions 3.15.0 through 3.32.2 and allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) to achieve full remote code execution on the host machine. The flaw stems from a case-sensitivity issue in the security plugin designed to block unsafe operations.
Critical Impact
Attackers can achieve full remote code execution on systems running vulnerable versions of simple-git by bypassing existing security controls through case manipulation, potentially leading to complete system compromise.
Affected Products
- simple-git versions 3.15.0 through 3.32.2
- Node.js applications utilizing the affected simple-git package
- CI/CD pipelines and automation tools leveraging simple-git for git operations
Discovery Timeline
- 2026-03-10 - CVE-2026-28292 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-28292
Vulnerability Analysis
This vulnerability represents a security bypass of previously patched command injection flaws in the simple-git library. The root issue lies in how the block-unsafe-operations-plugin.ts validates git configuration parameters. The original patches for CVE-2022-25860 and CVE-2022-25912 implemented regex-based filtering to prevent attackers from injecting malicious protocol.*.allow configurations that could be exploited for remote code execution.
However, the regex validation used a case-sensitive pattern match, allowing attackers to bypass the security control by simply using uppercase or mixed-case variations of the blocked strings (e.g., PROTOCOL.ext.allow instead of protocol.ext.allow). This enables attackers to inject arbitrary git protocol handlers and achieve code execution through git's external protocol handler mechanism.
Root Cause
The vulnerability originates from insufficient input validation in the security plugin responsible for blocking unsafe git operations. Specifically, the regex pattern /^\s*protocol(.[a-z]+)?.allow/ only matches lowercase characters, failing to account for case-insensitive command interpretation by git. This allows attackers to bypass the security check by using uppercase characters in their malicious input.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by providing specially crafted input to any application endpoint that passes user-controlled data to simple-git functions. By using case variations such as PROTOCOL.ext.allow or Protocol.Ext.Allow, the attacker bypasses the security filter and can configure git to execute arbitrary commands through malicious protocol handlers.
// Security patch from block-unsafe-operations-plugin.ts
// Source: https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257
return;
}
- if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {
+ if (!/^\s*protocol(.[a-z]+)?.allow/i.test(next)) {
return;
}
The fix adds the i flag to the regex pattern, enabling case-insensitive matching to properly block all variations of the unsafe operation.
Detection Methods for CVE-2026-28292
Indicators of Compromise
- Unexpected git configuration changes containing protocol.*.allow entries with unusual casing
- Anomalous outbound connections from Node.js processes to external endpoints
- Presence of suspicious git protocol handlers in application logs
- Unusual child process spawning from Node.js applications using simple-git
Detection Strategies
- Monitor application logs for git operations containing case-variant protocol configuration strings
- Implement runtime security monitoring to detect unexpected command execution from Node.js processes
- Utilize software composition analysis (SCA) tools to identify vulnerable simple-git versions in your codebase
- Deploy web application firewalls (WAF) with rules to detect git command injection patterns
Monitoring Recommendations
- Enable verbose logging for applications using simple-git to capture all git command executions
- Implement process monitoring to detect child processes spawned by Node.js applications
- Configure alerting for any modifications to git protocol configurations in production environments
- Review network traffic from application servers for suspicious outbound connections
How to Mitigate CVE-2026-28292
Immediate Actions Required
- Upgrade simple-git to version 3.23.0 or later immediately
- Audit all Node.js applications for simple-git usage and version dependencies
- Review application code for any user-controlled input passed to simple-git functions
- Implement input sanitization as an additional defense layer before passing data to simple-git
Patch Information
The vulnerability has been patched in simple-git version 3.23.0. The fix implements case-insensitive regex matching in the block-unsafe-operations-plugin.ts file to properly detect and block all variations of unsafe protocol configuration attempts. The patch is available via the GitHub commit f7042088aa2dac59e3c49a84d7a2f4b26048a257.
Workarounds
- Implement strict input validation and sanitization before passing any user-controlled data to simple-git
- Use application-level allowlists for git commands and options if upgrading is not immediately possible
- Isolate applications using simple-git in restricted environments with limited network access
- Consider using containerization with minimal privileges to limit the impact of potential exploitation
# Update simple-git to the patched version
npm update simple-git@latest
# Verify the installed version is 3.23.0 or later
npm list simple-git
# For yarn users
yarn upgrade simple-git@^3.23.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
