CVE-2026-28291— Simple Git 操作系统命令注入漏洞

simple-git has Command Execution via Option-Parsing Bypass

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Simple Git 操作系统命令注入漏洞

Simple Git是英国Steve King个人开发者的一个轻量级接口。用于在任何 Node.js 应用程序中运行 Git 命令。 Simple Git 3.31.1及之前版本存在操作系统命令注入漏洞，该漏洞源于Git选项操作绕过安全检查，可能导致执行任意命令。

N/A

N/A