GHSA-r275-fr43-pm7q: simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
Summary
The `blockUnsafeOperationsPlugin` in simple-git fails to block unsafe git protocol overrides when the configuration key is written in uppercase or mixed case (like `PROTOCOL.ALLOW` instead of `protocol.allow`), because the security check uses a case-sensitive regex while git itself treats config keys case-insensitively. An attacker who controls arguments passed to git operations can exploit this to enable the `ext::` protocol, which allows arbitrary OS command execution (RCE, remote code execution where an attacker runs commands on a system they don't control).
Solution / Mitigation
Add the `/i` flag to the regex to make it case-insensitive. Change the vulnerable code from `if (!/^\s*protocol(.[a-z]+)?.allow/.test(next))` to `if (!/^\s*protocol(.[a-z]+)?.allow/i.test(next))` in the `preventProtocolOverride` function located in `simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts` at line 24.
Vulnerability Details
EPSS: 0.0%
Yes
March 10, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-r275-fr43-pm7q
First tracked: March 10, 2026 at 04:00 PM
Classified by LLM (prompt v3) · confidence: 92%