CVE-2026-28291

CVE-2026-28291 is a command injection vulnerability (CWE-78) in the simple-git JavaScript library, which enables running native Git commands from Node.js applications. Versions up to and including 3.31.1 are affected, where attackers can execute arbitrary commands by manipulating Git options to bypass safety checks in the unsafe operations plugin. This flaw arises from an incomplete fix for the prior CVE-2022-25860, as Git's flexible option parsing accepts numerous character combinations (such as -vu, -4u, or -nu) that evade the regular-expression-based blocklist designed to prevent dangerous options like -u and --upload-pack.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating network-accessible exploitation with high attack complexity but no privileges or user interaction required. Remote attackers can exploit it by supplying crafted inputs to applications using vulnerable simple-git versions, tricking the library into passing malicious Git options that result in arbitrary OS command execution on the host system. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full server compromise.

Mitigation is available in simple-git version 3.32.0, which addresses the bypass through changes detailed in the project's security advisory (GHSA-jcxm-m3jx-f287) and a specific commit. Practitioners should update to 3.32.0 immediately, as the description notes that blocklist-based approaches are infeasible due to Git's vast option variant possibilities, implying the fix involves more robust parsing emulation or validation. Additional details are in the release notes and plugin source updates on the steveukx/git-js GitHub repository.