{"data":{"id":"32fd9bf4-e055-4e4f-b2ad-64e98f05ac11","title":"GHSA-r275-fr43-pm7q: simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE","summary":"The `blockUnsafeOperationsPlugin` in simple-git fails to block unsafe git protocol overrides when the configuration key is written in uppercase or mixed case (like `PROTOCOL.ALLOW` instead of `protocol.allow`), because the security check uses a case-sensitive regex while git itself treats config keys case-insensitively. An attacker who controls arguments passed to git operations can exploit this to enable the `ext::` protocol, which allows arbitrary OS command execution (RCE, remote code execution where an attacker runs commands on a system they don't control).","solution":"Add the `/i` flag to the regex to make it case-insensitive. Change the vulnerable code from `if (!/^\\s*protocol(.[a-z]+)?.allow/.test(next))` to `if (!/^\\s*protocol(.[a-z]+)?.allow/i.test(next))` in the `preventProtocolOverride` function located in `simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts` at line 24.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-r275-fr43-pm7q","publishedAt":"2026-03-10T18:38:56.000Z","cveId":"CVE-2026-28292","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["simple-git@>= 3.15.0, < 3.32.3 (fixed: 3.32.3)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["simple-git"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-10T18:38:56.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}