simple-git Remote Code Execution Vulnerability Allowing Bypass of Previous CVE Fixes

A remote code execution vulnerability has been identified in the simple-git library, which is used to run git commands in Node.js applications. This issue affects versions 3.15.0 through 3.32.2 and allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) by exploiting a case-sensitivity flaw in the handling of git protocol configuration keys. The vulnerability arises because Git treats configuration key names as case-insensitive, while the regex used in simple-git's security plugin is case-sensitive, creating a mismatch that can be exploited.

Impact

Exploitation of this vulnerability leads to full remote code execution on the host machine, with the attacker executing commands via the Node.js process user. This could involve reading sensitive files, exfiltrating secrets, installing malware, opening reverse shells, or lateral movement within the system.

Reproduction

The vulnerability can be reproduced by using simple-git version 3.32.2 and injecting uppercase variants of the 'protocol.allow' configuration key into git commands. This bypasses the regex check in simple-git's security plugin, allowing the 'ext::' protocol to be enabled and arbitrary commands to be executed on the host machine.

Remediation

Users are advised to upgrade to simple-git version 3.32.3 or later. If an immediate upgrade is not possible, audit all code paths where user input could reach simple-git method arguments, and validate and sanitize this input before it is passed to simple-git.