CVE-2022-25912

Published Dec 6, 2022

Last updated a year ago

CVSS critical 9.8

Overview

Description: The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Source: report@snyk.io
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

nvd@nist.gov: CWE-78

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6CB880B1-A84E-43A6-8869-F447C0D33AD8",
            "versionEndExcluding": "3.15.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References