Git is the backbone of version control for millions of developers worldwide. It makes collaboration possible, tracks your changes, and helps you organize code. But like any complex tool, it isn’t immune to security threats—especially if you work with code from others or handle repositories from the web.
A recently discovered vulnerability, CVE-2024-32465, exposes new risks in a scenario many developers face: working with zipped copies of Git repositories from outside sources. Below, we’ll break down what makes this bug dangerous, show what attackers can exploit, and give you clear, actionable tips to stay safe.
When you clone a Git repository using the standard command
git clone --no-local <repository-url>
you’re generally safe, even if the source is untrusted. Git has built-in protections that help stop bad actors from sneaking in malicious files or rogue scripts.
But here’s the catch: If someone gives you a .zip archive containing a full copy of a Git repository—maybe by email, download link, or file sharing—it may not be as harmless as it looks. Git’s protections don’t automatically guard you when extracting these archives. Hidden in such an archive, malicious hooks or files could be placed to run commands on your computer when you use Git inside that folder.
This weakness extends a previous issue covered in CVE-2024-32004. There, the danger was cloning local repositories owned by other users. With CVE-2024-32465, the risk is even bigger: simply unzipping an archive from the wrong source can land you in trouble.
How the Exploit Works
Imagine Alice creates a Git repository with a malicious hook script in .git/hooks/. She compresses the entire repo—including the hidden .git folder—into a .zip archive. Bob downloads and extracts the archive, thinking he’s safe to use it.
But when Bob runs any Git command in that folder—like git status or git commit—the malicious hook script could execute, running code with Bob’s permissions.
Suppose the attacker’s repo has .git/hooks/post-checkout with these contents
#!/bin/bash
echo "Malicious code runs!" > ~/HACKED.txt
If post-checkout is set as executable and lives inside .git/hooks/, Git will run it automatically upon certain Git actions.
Typical .zip Archive Extraction
unzip supplied-repo.zip -d ./dangerous-repo
cd dangerous-repo
git checkout main # Triggers the post-checkout hook!
Bob may never notice the script has done anything—unless he checks his home directory and finds HACKED.txt. But a real attacker could do far worse, including stealing credentials or opening backdoors.
What Protects You… And Where It Fails
If you clone from a remote repository, Git won't copy the .git/hooks/ scripts, making you safe by default.
But if you unzip a complete archive (including the .git/ folder), local hook files and other configurations are included, potentially giving attackers a direct way to run their code.
The fixes for CVE-2024-32004 improved some Git clone protections, but they don’t help when working with extracted archives.
2. Always clone from official or authenticated repositories using
git clone --no-local <url>
3. Remember: Even if you trust the code, do NOT trust the archive!
4. If you must use a zipped-up repo, delete the .git/hooks/ directory before running any Git commands:
rm -rf .git/hooks/
5. Keep your Git version up to date.
2.39.4
Update now:
Download the latest Git version
Official References
- CVE-2024-32465 – MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32465
- GitHub Security Advisory: GitHub Advisory Database
- Git Project Release Notes: Git v2.45.1 Release Notes
- Previous Related CVE: CVE-2024-32004
Always update your Git and clone from official remotes.
- Delete potential .git/hooks/ folders before running Git in untrusted repositories.
Stay cautious, and help spread the word—protect yourself and your team from these subtle but dangerous security holes in your daily dev life.
Timeline
Published on: 05/14/2024 20:15:14 UTC
Last modified on: 06/26/2024 10:15:12 UTC