simple-git Command Execution Vulnerability via Option Parsing Bypass

A command execution vulnerability has been identified in simple-git versions prior to 3.32.0. The issue arises from improper handling of Git command options, which allows users to execute arbitrary commands by manipulating option arguments. This vulnerability bypasses existing safeguards that block dangerous options, such as '-u' and '--upload-pack'. The root cause is an incomplete fix for a previous vulnerability, CVE-2022-25860, exploiting Git's flexible option parsing to circumvent regular expression-based restrictions. The flaw was introduced in version 3.16.0 and affects all subsequent versions through 3.31.1.

Impact

Exploitation of this vulnerability allows for arbitrary command execution via Git option manipulation, bypassing safety checks intended to block potentially harmful options. This could lead to unauthorized actions being performed in the context of the user running the Git commands.

Reproduction

The vulnerability can be reproduced by using simple-git version 3.28.0 or earlier. In a Linux environment, particularly within WSL Docker, this version can be installed and the vulnerability triggered by cloning a Git repository while specifying command options that exploit the bypass. Options such as '-vu' can be used to execute commands, such as creating a file in the '/tmp' directory, demonstrating the arbitrary command execution capability.

Remediation

Users can upgrade to simple-git version 3.32.0 or later, where this vulnerability has been fixed.