Headline
CVE-2022-25912: Chore: bump lerna, jest and create prettier workflow (#862) · steveukx/git-js@7746480
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
@@ -1,9 +1,9 @@
const { resolve } = require(‘path’);
const { existsSync } = require(‘fs’);
function resolver() {
function resolver(resolveToDist) {
const root = resolve(__dirname, '…/…’, ‘simple-git’);
const dist = resolve(root, 'dist’, ‘cjs’);
const dist = resolveToDist ? resolve(root, 'dist’, ‘cjs’) : root;
const pkg = existsSync(dist) ? dist : root;
@@ -19,7 +19,7 @@ function resolver() {
];
}
module.exports = function (resolve = false) {
module.exports = function (resolveToDist = false) {
return {
presets: [
[
@@ -32,6 +32,6 @@ module.exports = function (resolve = false) {
],
'@babel/preset-typescript’,
],
plugins: resolve ? [resolver()] : [],
plugins: [resolver(resolveToDist)],
};
};
Related news
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploitable via `clone()` method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).