CVE-2024-32002
Published: 14 May 2024
Summary
CVE-2024-32002 is a critical-severity Path Traversal (CWE-22) vulnerability in Git Git. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Git is a widely used revision control system that is vulnerable to a path traversal issue when handling repositories containing submodules. Prior to the releases 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, a specially crafted repository can cause Git to write files into a .git/ directory instead of the intended submodule worktree. The flaw is tracked under CWE-22, CWE-434, and CWE-59 and carries a CVSS 3.1 score of 9.0.
An attacker who controls a repository can embed malicious submodules that exploit symbolic-link handling during a recursive clone. When a victim clones the repository, Git writes an executable hook into .git/ that runs automatically while the clone operation is still in progress, giving the target no chance to review the code. The attack requires no authentication or user interaction beyond performing the clone and succeeds over the network.
Official patches have been issued in the listed Git versions. The Git project notes that setting core.symlinks to false globally prevents the attack vector, and it continues to recommend against cloning repositories from untrusted sources. The associated GitHub Security Advisory and commit 97065761333fd62db1912d81b489db938d8c991d document the fix and the configuration workaround.
The current EPSS score of 0.8247, with a peak of 0.8295, indicates sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-29843
Vulnerability details
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files…
more
not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-32002 enables remote code execution via exploitation of a client-side path traversal vulnerability in Git during recursive submodule clones, allowing arbitrary hooks to be written to .git/ and executed without further user interaction.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Validates pathnames and filenames to prevent traversal outside intended directories.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.