GitHub has issued a critical alert concerning a newly discovered vulnerability in Git that allows for remote code execution, urging users to update to the latest version immediately.
The vulnerability, which is particularly severe in repositories with submodules, can lead to code execution during the ‘clone’ operation without the user’s knowledge. This exploit is possible through a combination of directory and symbolic link manipulations, as explained by GitHub’s Johannes Schindelin.
The attack relies on confusing Git by using a directory and a symbolic link that differ only in case, causing Git to write files either into the submodule’s worktree or into the .git/ directory. This can result in the execution of a malicious hook while the clone operation is still ongoing, preventing the user from inspecting the executed code.
The critical nature of this vulnerability is underscored by its impact rating of 9.1 out of 10. Identified as CVE-2024-32002, it affects both Windows and macOS systems. Specifically, it targets recursive clones on case-insensitive filesystems that support symbolic links.
GitHub is encouraging developers to avoid cloning repositories from unreliable sources and to ensure that symbolic link support in Git is disabled. This can be done via the command git config --global core.symlinks false, which mitigates the risk of this particular attack. In their own words, “As always, it is best to avoid cloning repositories from untrusted sources.”.
The vulnerability affects a wide range of Git versions, including v2.45.0, v2.44.0, and versions up to v2.43.3, v2.42.1, v2.41.0, and v2.40.1. GitHub has released patches for these versions, and users are encouraged to update to the patched versions (v2.45.1, v2.44.1, v2.43.4, v2.42.2, v2.41.1, v2.40.2, and v2.39.4) as soon as possible.
