CVE-2022-24433
8.10.93%
Git Rekt: The Simple-Git Command Injection Deep Dive
Alon Barad
Software EngineerJan 2, 2026·6 min read·2 visits
PoC Available
Executive Summary (TL;DR)
Versions of `simple-git` prior to 3.3.0 fail to sanitize input in the `fetch()` function. Attackers can inject Git flags (specifically `--upload-pack`) to achieve Remote Code Execution (RCE). The fix involves a regex blocklist against this specific flag.
A critical argument injection vulnerability in the popular `simple-git` Node.js library allows attackers to execute arbitrary system commands via the `.fetch()` method. By abusing Git's `--upload-pack` flag, malicious inputs can trick the underlying git binary into executing shell commands.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
0.93%
Top 24% most exploited
Affected Systems
Node.js applications using simple-git < 3.3.0CI/CD pipelines using vulnerable simple-git versionsElectron apps utilizing simple-git for repo management
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
simple-git steveukx | < 3.3.0 | 3.3.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-88 (Argument Injection) |
| CVSS v3.1 | 8.1 (High) |
| Attack Vector | Network (Input to .fetch) |
| Affected Component | simple-git .fetch() method |
| Key Flag | --upload-pack |
| Exploit Status | PoC Available / Verified in CTFs |
MITRE ATT&CK Mapping
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command from trusted and untrusted data but does not properly neutralize argument delimiters, allowing the injection of new arguments.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability Disclosed by Snyk
2022-03-11
CVE-2022-24433 Assigned
2022-03-11
Patch v3.3.0 Released
2022-03-11
Documented usage in HTB FormulaX
2024-08-31