Urgent Git Security Update: Patch Now to Avoid Vulnerabilities

On May 14, 2024, a new version of Git, v2.45.1, was released, addressing five security vulnerabilities. This update impacts all major platforms: Windows, macOS, Linux, and BSD.

Corresponding updates have also been released for GitHub Desktop and Visual Studio, which include Git components. The fixed vulnerabilities are as follows:

  • CVE-2024-32002 (CVSS score 9.1). Repositories with submodules could force Git to execute commands from the “.git/” directory during cloning, potentially leading to remote code execution.
  • CVE-2024-32004 (CVSS score 8.2). An attacker could create a local repository and use it to execute arbitrary code when cloned.
  • CVE-2024-32465 (CVSS score 7.4). Cloning from ZIP files containing Git repositories could bypass existing protections, potentially executing unsafe scripts.
  • CVE-2024-32020 (CVSS score 3.9). Local clones on the same disk could allow untrusted users to alter files in the cloned repository’s object database.
  • CVE-2024-32021 (CVSS score 3.9). Cloning a local repository with symbolic links could result in the creation of hard links to arbitrary files in the “objects/” directory.

Updating to the latest version is essential for protection against these vulnerabilities. If updating is not possible, extra caution should be exercised when cloning repositories from untrusted sources.

Enhancing security during Git repository cloning has been the primary focus of recent updates. Git aims to make cloning secure, even for untrusted repositories, and this capability is now thoroughly documented.

The development team has also implemented several protective measures to reduce the likelihood of similar vulnerabilities in the future. These include improvements for preventing remote code execution and ensuring safer script execution.

Timely updating to the latest version is crucial to prevent potential supply chain attacks and the execution of unwanted code.