Cyber Resilience

CVE-2024-32004

High

Published: 14 May 2024

Published
14 May 2024
Modified
06 January 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0244 85.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32004 is a high-severity Process Control (CWE-114) vulnerability in Git-Scm Git. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Git is a widely used revision control system affected by CVE-2024-32004, a vulnerability present in all versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. The flaw allows an attacker to craft a local repository such that cloning it triggers execution of arbitrary code on the victim's system during the clone operation itself. It is tracked under CWE-114 and carries a CVSS 3.1 score of 8.1 reflecting local attack vector, high complexity, no privileges or user interaction required, and changed scope with high impact on confidentiality, integrity, and availability.

An attacker who controls or can influence a repository can prepare it to exploit the issue; any user who subsequently clones that repository will execute the attacker's code in the context of the clone process. Because the attack requires the victim to initiate a clone from the malicious source, it is most relevant in environments where developers or automated systems fetch repositories from untrusted or attacker-controlled locations.

Official patches addressing the root cause were released in the listed Git versions, and the Git project advisory along with downstream distributions such as Debian recommend avoiding clones from untrusted sources as an immediate workaround. The referenced Git commit and security advisory provide the specific remediation details.

EPSS for this CVE rose from a low baseline to a peak of 0.0664 on 2025-12-11 before receding to the current value of 0.0244, indicating that exploitation interest increased well after initial disclosure.

EU & UK References

Vulnerability details

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem…

more

has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

git-scm
git
2.41.0, 2.44.0, 2.45.0 · ≤ 2.39.4 · 2.40.0 — 2.40.2 · 2.42.0 — 2.42.2
fedoraproject
fedora
40
debian
debian linux
10.0, 11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References