Home > Vulnerability Database > CVE-2022-25860

Mend.io Vulnerability Database

CVE-2022-25860

Good to know:

Date: January 24, 2023

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of "CVE-2022-25912" (https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

Language: TYPE_SCRIPT

Severity Score

8.1

Related Resources (4)

Url: https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951

Url: https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-25860

Url: https://www.mend.io/vulnerability-database/CVE-2022-25860

Severity Score

8.1

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version simple-git - 3.16.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-25860

Good to know:

Date: January 24, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?