A critical vulnerability in the simple-git package allows unauthenticated remote attackers to achieve Remote Code Execution (RCE) by leveraging insecure configuration options.

This is an RCE vulnerability stemming from an incomplete fix for CVE-2022-25912; by using the --config form instead of the blocked -c option, an attacker can enable dangerous git protocols. This allows unauthenticated attackers to execute arbitrary code if they can influence the input passed to the library.

With a CVSS score of 9.8, this vulnerability poses a critical risk to organizational infrastructure. Successful exploitation allows for complete system compromise, enabling attackers to execute arbitrary commands, exfiltrate sensitive data, or deploy persistent backdoors within the development or production environment.

Immediate Action: Upgrade the simple-git package to version 3.36.0 or higher immediately to apply the necessary configuration blocking.

Proactive Monitoring: Review application logs for unusual git command arguments or attempts to utilize ext:: clone sources within input parameters.

Compensating Controls: Implement input validation to sanitize any untrusted data that is passed as arguments to the simple-git library.

Public Exploit Available: Unknown

The severity of this flaw necessitates immediate remediation. Organizations relying on simple-git for repository management must prioritize upgrading to version 3.36.0 to eliminate the risk of arbitrary code execution.