simple-git_project CVE Vulnerabilities & Metrics

Focus on simple-git_project vulnerabilities and metrics.

Last updated: 29 Mar 2026, 22:25 UTC

About simple-git_project Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with simple-git_project. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total simple-git_project CVEs: 5
Earliest CVE date: 11 Mar 2022, 17:16 UTC
Latest CVE date: 10 Mar 2026, 19:17 UTC

Latest CVE reference: CVE-2026-28292

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical simple-git_project CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.0

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	0
7.0-8.9	2
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS simple-git_project CVEs

These are the five CVEs with the highest CVSS scores for simple-git_project, sorted by severity first and recency.

CVE-2022-24066 simple-git_project Published on 01 Apr 2022, 20:15 UTC (CVSS: 7.5)
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
CVE-2022-24433 simple-git_project Published on 11 Mar 2022, 17:16 UTC (CVSS: 7.5)
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
CVE-2026-28292 simple-git_project Published on 10 Mar 2026, 19:17 UTC (CVSS: 0)
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
CVE-2022-25860 simple-git_project Published on 26 Jan 2023, 21:15 UTC (CVSS: 0)
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
CVE-2022-25912 simple-git_project Published on 06 Dec 2022, 05:15 UTC (CVSS: 0)
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).

All CVEs for simple-git_project

CVE-2026-28292 simple-git_project vulnerability CVSS: 0 10 Mar 2026, 19:17 UTC

`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

CVE-2022-25860 simple-git_project vulnerability CVSS: 0 26 Jan 2023, 21:15 UTC

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

CVE-2022-25912 simple-git_project vulnerability CVSS: 0 06 Dec 2022, 05:15 UTC

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).

CVE-2022-24066 simple-git_project vulnerability CVSS: 7.5 01 Apr 2022, 20:15 UTC

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.

CVE-2022-24433 simple-git_project vulnerability CVSS: 7.5 11 Mar 2022, 17:16 UTC

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.