CVE-2022-25860

CRITICAL9.8EPSS 41.1%

Remote code execution in simple-git

發布日:2023/1/26修改日:2025/4/1

描述

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

受影響套件(1)

npm/simple-gitfrom 0, < 3.16.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25860
WEBhttps://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
WEBhttps://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
WEBhttps://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391