CVE-2026-28291
Published: 13 April 2026
Summary
CVE-2026-28291 is a high-severity OS Command Injection (CWE-78) vulnerability in Simple-Git Project Simple-Git. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the command injection flaw in simple-git by updating to version 3.32.0, which implements robust option parsing to prevent bypasses.
Enforces validation and sanitization of inputs passed to the simple-git library to block malicious Git option manipulations like -vu or -nu that evade the blocklist.
Provides vulnerability scanning of software dependencies to identify and prioritize remediation of affected simple-git versions vulnerable to CVE-2026-28291.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing Node.js applications using vulnerable simple-git (T1190), resulting in arbitrary OS command execution (T1059).
NVD Description
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an…
more
incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
Deeper analysisAI
CVE-2026-28291 is a command injection vulnerability (CWE-78) in the simple-git JavaScript library, which enables running native Git commands from Node.js applications. Versions up to and including 3.31.1 are affected, where attackers can execute arbitrary commands by manipulating Git options to bypass safety checks in the unsafe operations plugin. This flaw arises from an incomplete fix for the prior CVE-2022-25860, as Git's flexible option parsing accepts numerous character combinations (such as -vu, -4u, or -nu) that evade the regular-expression-based blocklist designed to prevent dangerous options like -u and --upload-pack.
The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating network-accessible exploitation with high attack complexity but no privileges or user interaction required. Remote attackers can exploit it by supplying crafted inputs to applications using vulnerable simple-git versions, tricking the library into passing malicious Git options that result in arbitrary OS command execution on the host system. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full server compromise.
Mitigation is available in simple-git version 3.32.0, which addresses the bypass through changes detailed in the project's security advisory (GHSA-jcxm-m3jx-f287) and a specific commit. Practitioners should update to 3.32.0 immediately, as the description notes that blocklist-based approaches are infeasible due to Git's vast option variant possibilities, implying the fix involves more robust parsing emulation or validation. Additional details are in the release notes and plugin source updates on the steveukx/git-js GitHub repository.
Details
- CWE(s)