Git Rekt: The Simple-Git Command Injection Deep Dive
Jan 2, 2026·6 min read·0 visits
Executive Summary (TL;DR)
Versions of `simple-git` prior to 3.3.0 fail to sanitize input in the `fetch()` function. Attackers can inject Git flags (specifically `--upload-pack`) to achieve Remote Code Execution (RCE). The fix involves a regex blocklist against this specific flag.
A critical argument injection vulnerability in the popular `simple-git` Node.js library allows attackers to execute arbitrary system commands via the `.fetch()` method. By abusing Git's `--upload-pack` flag, malicious inputs can trick the underlying git binary into executing shell commands.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
simple-git steveukx | < 3.3.0 | 3.3.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-88 (Argument Injection) |
| CVSS v3.1 | 8.1 (High) |
| Attack Vector | Network (Input to .fetch) |
| Affected Component | simple-git .fetch() method |
| Key Flag | --upload-pack |
| Exploit Status | PoC Available / Verified in CTFs |
MITRE ATT&CK Mapping
The software constructs a string for a command from trusted and untrusted data but does not properly neutralize argument delimiters, allowing the injection of new arguments.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.