Login Sign Up

CVE-2022-24433

8.1 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-24433 is a command injection vulnerability in the simple-git npm package that allows attackers to execute arbitrary commands on the host system by injecting malicious git options into the .fetch() function parameters. This affects any application using vulnerable versions of simple-git to interact with git repositories, particularly Node.js applications that accept user-controlled input for git operations.

💻 Affected Systems

Products:
  • simple-git npm package
Versions: All versions before 3.3.0
Operating Systems: All operating systems where Node.js runs
Default Config Vulnerable: ⚠️ Yes
Notes: Applications are vulnerable if they pass user-controlled input to the .fetch() method without proper validation.

📦 What is this software?

Simple Git by Simple Git Project

View all CVEs affecting Simple Git →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Arbitrary command execution in the context of the application user, potentially leading to data theft, system modification, or service disruption.

🟢

If Mitigated

Limited impact if input validation and proper sandboxing prevent malicious parameter injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to accept user input for the remote or branch parameters in .fetch() calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.0 and later

Vendor Advisory: https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0

Restart Required: Yes

Instructions:

1. Update package.json to specify 'simple-git': '^3.3.0' 2. Run 'npm update simple-git' or 'yarn upgrade simple-git' 3. Restart the application

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize all user input before passing to simple-git methods

Sandbox Execution

all

Run the application in a container or restricted user account with minimal privileges

🧯 If You Can't Patch

  • Implement strict input validation to prevent injection of git options
  • Run the application with minimal privileges and in isolated environments

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list simple-git' to see installed version

Check Version:

npm list simple-git | grep simple-git

Verify Fix Applied:

Confirm version is 3.3.0 or higher with 'npm list simple-git'

📡 Detection & Monitoring

Log Indicators:

  • Unusual git fetch commands with unexpected options
  • Process execution from Node.js application with suspicious arguments

Network Indicators:

  • Unexpected outbound connections from the application host

SIEM Query:

process.name:node AND cmdline:*git* AND cmdline:*fetch* AND (cmdline:*--upload-pack* OR cmdline:*--exec*)

📊 Metadata

CVE ID: CVE-2022-24433
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-88
Published: March 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24433, you might also want to check these:

CVE-2023-6269 10.0

An argument injection vulnerability in Atos Unify OpenScape SBC, Branch, and BCF products allows una...

Same vulnerability type (CWE-88)
CVE-2024-47553 9.9

This vulnerability in Siemens SINEC Security Monitor allows authenticated low-privileged remote atta...

Same vulnerability type (CWE-88)
CVE-2024-39930 9.9

This vulnerability allows authenticated attackers to execute arbitrary code on Gogs servers by explo...

Same vulnerability type (CWE-88)