A critical vulnerability in the simple-git library allows an attacker to bypass existing security controls and execute arbitrary code on the host machine.

This issue is a regression or bypass of previous fixes (CVE-2022-25860 and CVE-2022-25912). It allows an attacker to manipulate git command execution via the Node.js interface to achieve full remote code execution on the host machine. The vulnerability is typically exploited through maliciously crafted input passed to git commands.

A successful exploit grants the attacker the ability to run any command on the server hosting the Node.js application. This could lead to full system takeover, theft of source code, and unauthorized access to connected databases. The CVSS score of 9.8 reflects the high probability of exploitation and the devastating impact on the host environment.

Immediate Action: Update the simple-git dependency in your Node.js applications to version 3.23.0 or the latest available version immediately.

Proactive Monitoring: Review application logs for unusual git command parameters or unexpected shell execution patterns originating from the Node.js process.

Compensating Controls: Implement strict input validation and sanitization for any user-supplied data that is passed to the simple-git interface.

Public Exploit Available: No

Due to the widespread use of simple-git in CI/CD pipelines and web applications, this vulnerability poses a significant risk. Developers must audit their package.json files and update to version 3.23.0 immediately to mitigate the risk of remote code execution.