Steveukx

**Name of the Vulnerable Software and Affected Versions** simple-git versions 3.15.0 through 3.32.2 **Description** A case-sensitivity bypass in the `blockUnsafeOperationsPlugin` allows for remote code execution on the host machine. The `preventProtocolOverride()` function uses a case-sensitive regular expression to block the configuration of `protocol.allow`. However, since git treats configuration key names case-insensitively, an attacker can bypass this check by using uppercase or mixed-case variants, such as `PROTOCOL.ALLOW=always`. This enables the `ext::` protocol, which executes an arbitrary binary as a remote helper, allowing the execution of arbitrary OS commands. This issue affects applications that pass user-controlled values into the `customArgs` parameter of methods like `clone()`, `fetch()`, `pull()`, or `push()`. It is estimated that over 12.4 million installations are affected. **Recommendations** Update to version 3.23.0. As a temporary workaround, restrict or sanitize user-controlled input passed to the `customArgs` parameter in `clone()`, `fetch()`, `pull()`, and `push()` methods to prevent the use of the `protocol.allow` configuration.