CVE-2026-6951 Simple Git Project CVE debrief

Who should care

Teams that use simple-git in Node.js applications, especially code paths where user-controlled input can reach git options or clone sources, should treat this as a high-priority dependency issue.

Technical summary

NVD marks the issue as analyzed and maps it to CWE-94. The vulnerable range is simple-git versions 3.15.0 through before 3.36.0. The problem is an incomplete mitigation for CVE-2022-25912: rejecting -c alone was insufficient because --config can express the same behavior. When attacker influence reaches the options argument, the documented attack path is to enable protocol.ext.allow=always and use an ext:: clone source, which can lead to RCE.

Defensive priority

High. The CVSS vector indicates network exposure, no privileges required, no user interaction, and high impact if the affected input flow is exposed.

Recommended defensive actions

• Upgrade simple-git to 3.36.0 or later.
• Audit any code that passes untrusted data into the options argument or clone source parameters.
• Ensure application-level validation or allowlisting prevents users from controlling git configuration flags.
• Review mitigations for CVE-2022-25912 to confirm they block both -c and --config forms.
• Rebuild and redeploy applications after updating the dependency lockfile.

Evidence notes

Basis: the NVD CVE record for CVE-2026-6951, the supplied CVE description, and the referenced patch/advisory materials. The record lists vulnerable versions as simple-git 3.15.0 through before 3.36.0, CVSS v4.0 8.2 (HIGH), and CWE-94. The description specifically states that the prior fix for CVE-2022-25912 was incomplete because --config was not blocked when -c was.

Official resources