simple-git Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the simple-git package, specifically in versions prior to 3.36.0. This vulnerability arises from an incomplete fix for a previous issue that allowed the --config option to bypass security measures. If untrusted input reaches the options argument in the clone function, an attacker could exploit this by enabling protocol.ext.allow=always and using an ext:: clone source.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the system where the affected Node.js application is running.

Reproduction

The vulnerability can be reproduced by using simple-git version 3.15.0 or later, but prior to 3.36.0. After setting the 'protocol.ext.allow' configuration to 'always', untrusted input can be passed to the 'clone' command using the '--config' option. This will trigger the vulnerability by executing arbitrary commands on the host system.

Remediation

Users are advised to upgrade simple-git to version 3.36.0 or later.