Description

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.

INFO

Published Date :

2026-04-13T17:15:14.594Z

Last Modified :

2026-04-14T16:30:34.266Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28291 vulnerability.

Vendors Products
Steveukx
  • Git-js
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28291.

URL Resource
https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26 cve-icon cve-icon cve-icon
https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d cve-icon cve-icon
https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0 cve-icon cve-icon cve-icon
https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287 cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-28291 cve-icon
https://www.cve.org/CVERecord?id=CVE-2022-25860 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-28291 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact