www.belgium.be Logo of the federal government

Warning: Git Has A Critical Vulnerability That Can Lead To Remote Code Execution When Cloning A Repository

Advisory #2024-69
Affected software: 
Git prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 and 2.39.4
• CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434 - Unrestricted Upload of File with Dangerous Type

CVE-2024-32002 :CVSS 9.1(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)





The vulnerability in Git prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 and 2.39.4, stems from the improper handling of symbolic links and case-insensitive filesystems during the cloning of repositories with submodules.

Successful exploitation can allow an attacker to execute arbitrary code with the same privileges as the user running Git without this user being able to inspect this code. This has a high impact on confidentiality, integrity and availability. No active exploitation of this vulnerability has been seen yet at the time of writing, but there is a proof-of-concept available.


CVE-2024-32002, with a CVSS score of 9.1, is a vulnerability in Git, where it can be fooled when cloning malicious repositories with submodules to write to the ‘.git/’ directory instead of the submodule’s worktree by exploiting a case-sensitive naming conflict between a directory and a symbolic link.. In this way, an attacker could write a hook that will be executed while cloning without the user first being able to inspect the repository. This attack only works if symbolic link support is enabled.

Recommended Actions


The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

  • Affected versions: v2.45.0 v2.44.0 <=v2.43.3 <=v2.42.1 v2.41.0 <=v2.40.1 <=v2.39.3
  • Patched versions: v2.45.1 v2.44.1 v2.43.4 v2.42.2 v2.41.1 v2.40.2 v2.39.4

There is also a workaround described in the GitHub advisory, that is, disabling symbolic link support via the command: `git config --global core.symlinks false`.


The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.