Security: Update simple-git dependency in webpack-plugin to fix CVE-2026-28292 (Critical RCE vulnerability) #293
Description
Summary
The @datadog/webpack-plugin package contains a vulnerable version of simple-git (3.25.0) that is affected by a critical remote code execution (RCE) vulnerability.
Vulnerability Details
- CVE ID: CVE-2026-28292
- GHSA ID: GHSA-r275-fr43-pm7q
- Severity: Critical (CVSS 9.8)
- Advisory: GHSA-r275-fr43-pm7q
Issue
The vulnerability allows attackers to bypass the blockUnsafeOperationsPlugin security mechanism through case-insensitive protocol.allow config key manipulation, enabling arbitrary OS command execution via the ext:: protocol.
The vulnerable regex pattern /^\s*protocol(.[a-z]+)?.allow/ fails to match uppercase or mixed-case variants of configuration keys that Git normalizes to lowercase internally. An attacker can pass -c PROTOCOL.ALLOW=always to bypass the check.
Current State
- File:
packages/published/webpack-plugin/package.json - Current version:
simple-git: 3.25.0(vulnerable) - Affected versions: simple-git >= 3.15.0, < 3.32.3
Recommended Fix
Update the simple-git dependency to version 3.32.3 or later, which includes the fix with a case-insensitive regex flag.
Impact
Applications accepting user-controlled arguments to methods like clone(), fetch(), or pull() face remote code execution risks.
References
- GitHub Advisory: GHSA-r275-fr43-pm7q
- Vulnerable package.json: https://github.com/DataDog/build-plugins/blob/master/packages/published/webpack-plugin/package.json#L25