Description
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).
Remediation
References
https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
Related Vulnerabilities
CVE-2022-31198 Vulnerability in npm package @openzeppelin/contracts-upgradeable
CVE-2023-35165 Vulnerability in npm package aws-cdk-lib
CVE-2022-31070 Vulnerability in npm package @ffdc/nestjs-proxy
CVE-2018-1000006 Vulnerability in maven package org.webjars.npm:electron
CVE-2021-32732 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui