Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-6951 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-25 |
| Vendor | npm |
| Product | simple-git |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
Required Actions
Update the simple-git dependency in your project to version 3.36.0 or later immediately. Review application code for places that pass user-controlled values into the simple-git options argument and add validation/allowlisting of parameters. Scan dependent projects (npm audit, npm ls simple-git) and deployed systems.
Who Is Affected?
This vulnerability affects the simple-git package published in the npm registry at versions before 3.36.0. Check whether your Node.js applications depend on this package (commonly used in devops tooling and CI/CD) and update the dependency immediately.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
