This vulnerability is an incomplete fix for a previously reported remote code execution flaw in the popular simple-git JavaScript package. The original patch blocked the `-c` configuration injection vector but left the equivalent `--config` option unprotected. Attackers able to pass untrusted input to simple-git's options argument can achieve remote code execution on vulnerable systems.
Remediation
Upgrade the simple-git package to version 3.36.0 or later to apply the complete fix. Scan your project dependencies to confirm you are not running a vulnerable release of simple-git. Restrict untrusted user input from being passed to simple-git's configuration options.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.