CVE-2026-28292

Name of the Vulnerable Software and Affected Versions simple-git versions 3.15.0 through 3.32.2

Description A case-sensitivity bypass in the blockUnsafeOperationsPlugin allows for remote code execution on the host machine. The preventProtocolOverride() function uses a case-sensitive regular expression to block the configuration of protocol.allow. However, since git treats configuration key names case-insensitively, an attacker can bypass this check by using uppercase or mixed-case variants, such as PROTOCOL.ALLOW=always. This enables the ext:: protocol, which executes an arbitrary binary as a remote helper, allowing the execution of arbitrary OS commands. This issue affects applications that pass user-controlled values into the customArgs parameter of methods like clone(), fetch(), pull(), or push(). It is estimated that over 12.4 million installations are affected.

Recommendations Update to version 3.23.0. As a temporary workaround, restrict or sanitize user-controlled input passed to the customArgs parameter in clone(), fetch(), pull(), and push() methods to prevent the use of the protocol.allow configuration.