CVE-2026-6951 — AI Deep Analysis Summary

🚨 **Essence**: Simple Git < 3.36.0 has a **Code Injection** flaw. It’s an incomplete fix for CVE-2022-25912. 💥 **Consequences**: Attackers can achieve **Remote Code Execution (RCE)** via malicious clone sources.

🛡️ **Root Cause**: **CWE-94** (Code Injection). The vulnerability stems from improper handling of `protocol.ext.allow=always` and `ext::` clone sources, allowing arbitrary command execution.

📦 **Affected**: **Simple Git** library for Node.js. Specifically versions **before 3.36.0**. Developed by Steve King. 📉 **Impact**: Any Node.js app using this lib is at risk.

💀 **Attacker Power**: Full **Remote Code Execution**. CVSS Score is **9.8 (Critical)**. Attackers gain High Confidentiality, Integrity, and Availability impact. They can run **any system command**.

⚠️ **Exploitation**: **Low Threshold**. CVSS: AV:N (Network), AC:L (Low Complexity), PR:N (No Privs), UI:N (No User Interaction). You just need to trigger a git clone with a malicious source.

🔍 **Public Exp?**: Yes. References include GitHub commits and Gist PoCs (e.g., KKC73). Snyk also tracks it. Wild exploitation is **highly likely** given the low barrier.

🔎 **Self-Check**: Scan your `package.json` or `node_modules`. Look for `simple-git` version **< 3.36.0**. Check if your app uses `protocol.ext` or custom clone sources.

✅ **Fixed?**: Yes. Upgrade to **Simple Git 3.36.0** or later. The patch addresses the incomplete fix from the previous CVE. 📝 **Ref**: GitHub commit 89a2294.

🚧 **No Patch?**: **Mitigation**: Disable `protocol.ext.allow` or avoid using `ext::` clone protocols. Sanitize all git URLs. Do not allow untrusted sources to trigger git commands.

🔥 **Urgency**: **CRITICAL**. CVSS 9.8 + RCE + Low Exploit Difficulty. Patch **IMMEDIATELY**. This is a high-priority security update for all Node.js projects.