Cyber Resilience

CVE-2024-32002

Critical

Published: 14 May 2024

Published
14 May 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8084 99.2th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32002 is a critical-severity Path Traversal (CWE-22) vulnerability in Git Git. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Git is a widely used revision control system that is vulnerable to a path traversal issue when handling repositories containing submodules. Prior to the releases 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, a specially crafted repository can cause Git to write files into a .git/ directory instead of the intended submodule worktree. The flaw is tracked under CWE-22, CWE-434, and CWE-59 and carries a CVSS 3.1 score of 9.0.

An attacker who controls a repository can embed malicious submodules that exploit symbolic-link handling during a recursive clone. When a victim clones the repository, Git writes an executable hook into .git/ that runs automatically while the clone operation is still in progress, giving the target no chance to review the code. The attack requires no authentication or user interaction beyond performing the clone and succeeds over the network.

Official patches have been issued in the listed Git versions. The Git project notes that setting core.symlinks to false globally prevents the attack vector, and it continues to recommend against cloning repositories from untrusted sources. The associated GitHub Security Advisory and commit 97065761333fd62db1912d81b489db938d8c991d document the fix and the configuration workaround.

The current EPSS score of 0.8247, with a peak of 0.8295, indicates sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files…

more

not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

CVE-2024-32002 enables remote code execution via exploitation of a client-side path traversal vulnerability in Git during recursive submodule clones, allowing arbitrary hooks to be written to .git/ and executed without further user interaction.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain Compromise

Affected Assets

git
git
2.41.0, 2.44.0, 2.45.0 · ≤ 2.39.4 · 2.40.0 — 2.40.2 · 2.42.0 — 2.42.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References