CVE-2022-24066: 
JavaScript vulnerability analysis and mitigation

The simple-git package versions before 3.5.0 contain a Command Injection vulnerability (CVE-2022-24066). This vulnerability exists due to an incomplete fix of a previous vulnerability (CVE-2022-24433) which only patched against the git fetch attack vector. The vulnerability affects the --upload-pack feature of git that is also supported for git clone operations, which the prior fix didn't address (Snyk JS).

The vulnerability is classified as an Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') with a CVSS v3.1 base score of 8.1 (High). The vulnerability allows attackers to execute arbitrary commands through the --upload-pack parameter in git clone operations. The attack complexity is rated as High, requires no privileges or user interaction, and can potentially lead to a complete compromise of system confidentiality, integrity, and availability (Snyk Java).

The vulnerability can result in total loss of confidentiality, integrity, and availability of the affected system. An attacker can potentially execute arbitrary commands on the target system, leading to complete system compromise. The impact is particularly severe as it affects a package that receives over 2.2 million downloads per week (GitHub Gist).

The recommended mitigation is to upgrade simple-git to version 3.5.0 or higher. The fix prevents the use of --upload-pack as a command in git.clone to avoid potential command execution. The patch includes additional validation to block potentially exploitable arguments (GitHub Commit).