CVE-2026-6951 Overview
CVE-2026-6951 is a Remote Code Execution (RCE) vulnerability affecting versions of the simple-git Node.js package before version 3.36.0. This vulnerability exists due to an incomplete fix for CVE-2022-25912, which blocked the -c option but failed to block the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
Critical Impact
Attackers can achieve arbitrary code execution on systems running vulnerable versions of simple-git when untrusted input reaches the options argument, potentially leading to complete system compromise.
Affected Products
- simple-git versions prior to 3.36.0
- Node.js applications using vulnerable simple-git package versions
- CI/CD pipelines and automation tools utilizing simple-git for Git operations
Discovery Timeline
- 2026-04-25 - CVE CVE-2026-6951 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-6951
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw represents a bypass of a previous security fix implemented for CVE-2022-25912. The original patch blocked the -c command-line option to prevent attackers from injecting malicious Git configuration options. However, the fix was incomplete as it did not account for the long-form --config option, which provides identical functionality.
When an application passes user-controlled input to the simple-git library without proper sanitization, an attacker can exploit this gap by injecting --config protocol.ext.allow=always along with a malicious ext:: protocol URL. This combination allows the execution of arbitrary shell commands through Git's external protocol handler mechanism.
Root Cause
The root cause is an incomplete blocklist implementation in the argument parsing logic. The original security patch for CVE-2022-25912 only blocked the short-form -c option but overlooked the functionally equivalent --config long-form flag. Git accepts both forms interchangeably for setting configuration values, making the blocklist trivially bypassable.
Attack Vector
The attack is network-exploitable and requires no authentication. An attacker must be able to influence the options or arguments passed to simple-git methods such as clone() or fetch(). By crafting a malicious payload that includes --config protocol.ext.allow=always and an ext:: URL pointing to a shell command, the attacker can execute arbitrary code with the privileges of the Node.js process.
The following patch demonstrates the security improvements made to address this vulnerability, including enhanced environment parsing and vulnerability checking mechanisms:
-export { parseArgv } from './src/parse-argv';
+export { parseArgv } from './src/args/parse-argv';
export type {
ConfigRead,
ConfigScope,
ConfigWrite,
ParsedArgv,
ParsedFlag,
-} from './src/parse-argv.types';
+} from './src/args/parse-argv.types';
+export { parseEnv } from './src/env/parse-env';
export type {
Vulnerability,
VulnerabilityCategory,
+ VulnerabilityCategoryFlags,
} from './src/vulnerabilities/vulnerability.types';
-export { vulnerabilityAnalysis } from './src/vulnerabilities/vulnerability-analysis';
+export { vulnerabilityCheck } from './src/vulnerabilities/vulnerability-check';
Source: GitHub Commit Update
Detection Methods for CVE-2026-6951
Indicators of Compromise
- Presence of --config arguments in Git command executions containing protocol.ext.allow=always
- Git clone or fetch operations using ext:: protocol URLs
- Unexpected shell command executions spawned from Node.js processes running simple-git
- Anomalous network connections or process spawning from Git operations
Detection Strategies
- Monitor Node.js application logs for Git commands containing --config with suspicious protocol configurations
- Implement runtime application self-protection (RASP) to detect command injection patterns
- Use static analysis tools to identify code paths where user input flows to simple-git methods
- Deploy SentinelOne Singularity Platform to detect anomalous process execution chains originating from Node.js
Monitoring Recommendations
- Enable verbose logging for applications utilizing simple-git to capture all Git command arguments
- Configure SIEM rules to alert on ext:: protocol usage in Git operations
- Monitor package manager audit reports for vulnerable simple-git versions
- Implement application-level logging of all arguments passed to simple-git functions
How to Mitigate CVE-2026-6951
Immediate Actions Required
- Upgrade simple-git package to version 3.36.0 or later immediately
- Audit all code paths where user input may influence simple-git options or arguments
- Implement strict input validation and sanitization for any user-controlled data passed to Git operations
- Review application logs for potential exploitation attempts
Patch Information
The vulnerability has been addressed in simple-git version 3.36.0. The fix implements comprehensive blocking of both -c and --config options, along with enhanced vulnerability checking mechanisms. The security patch is available via the GitHub Commit. Additional details are available in the Snyk Vulnerability Report.
Workarounds
- Implement application-level filtering to reject any Git arguments containing --config or -c flags from untrusted sources
- Use allowlists for permitted Git options rather than blocklists
- Isolate simple-git operations in sandboxed environments with restricted permissions
- Avoid passing user-controlled input directly to simple-git methods; instead, use predefined configuration options
# Update simple-git to patched version
npm update simple-git@^3.36.0
# Audit your project for vulnerable versions
npm audit --audit-level=high
# Lock down to the fixed version
npm install simple-git@3.36.0 --save-exact
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
