CVE-2022-24066 – This vulnerability allows remote command inject... (How to Fix)

Q: What is the severity of CVE-2022-24066?

CVE-2022-24066 has a CVSS score of 8.1 (HIGH). This vulnerability allows remote command injection in simple-git npm package versions before 3.5.0. Attackers can execute arbitrary commands on systems using vulnerable versions by exploiting the --upload-pack feature in git clone operations. This affects any application using simple-git to interact with git repositories.

📋 TL;DR

This vulnerability allows remote command injection in simple-git npm package versions before 3.5.0. Attackers can execute arbitrary commands on systems using vulnerable versions by exploiting the --upload-pack feature in git clone operations. This affects any application using simple-git to interact with git repositories.

💻 Affected Systems

Products:

simple-git (npm package)

Versions: All versions before 3.5.0

Operating Systems: All operating systems where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Applications must use simple-git's clone or fetch operations with user-controlled input to be exploitable. The vulnerability exists in the package itself, not in git.

📦 What is this software?

Simple Git by Simple Git Project

View all CVEs affecting Simple Git →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing arbitrary command execution with the privileges of the application using simple-git, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution leading to data exfiltration, lateral movement within the network, or deployment of malware/cryptominers.

🟢

If Mitigated

Limited impact if proper input validation, sandboxing, and least privilege principles are implemented around git operations.

🌐 Internet-Facing: HIGH - Applications accepting user-controlled git repository URLs or parameters are directly exploitable from the internet.

🏢 Internal Only: MEDIUM - Internal applications using simple-git with user-controlled inputs remain vulnerable to authenticated users or internal attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gists and security advisories. Exploitation requires user-controlled input to git clone/fetch operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.0 and later

Vendor Advisory: https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5

Restart Required: No

Instructions:

1. Update simple-git dependency to version 3.5.0 or later. 2. Run 'npm update simple-git' or update package.json to '^3.5.0'. 3. Test application functionality with updated version.

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate and sanitize all user inputs passed to git operations, especially repository URLs and branch names.

Run git operations with restricted privileges

all

Execute simple-git operations in a sandboxed environment or with minimal system privileges.

🧯 If You Can't Patch

Implement strict input validation to reject any git parameters containing shell metacharacters or suspicious patterns
Run the application using simple-git in a containerized or sandboxed environment with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list simple-git' to see installed version. If version is below 3.5.0, the system is vulnerable.

Check Version:

npm list simple-git | grep simple-git

Verify Fix Applied:

After updating, verify version is 3.5.0 or higher with 'npm list simple-git'. Test git clone/fetch operations with various inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual git clone/fetch operations with suspicious parameters
Commands executed from git processes that don't match expected git operations
Process spawning from git operations with unusual arguments

Network Indicators:

Git operations to unexpected or malicious repositories
Outbound connections from git processes to unusual destinations

SIEM Query:

process.name:git AND (command_line:*upload-pack* OR command_line:*--upload-pack*) AND NOT command_line:*expected_pattern*

📊 Metadata

CVE ID: CVE-2022-24066

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-88

Published: April 1, 2022

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/lirantal/a930d902294b833514e821102316426b Exploit,Third Party Advisory
https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306 Patch,Third Party Advisory
https://gist.github.com/lirantal/a930d902294b833514e821102316426b Exploit,Third Party Advisory
https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24066, you might also want to check these: