CVE-2021-40330 Overview
CVE-2021-40330 is a cross-protocol request vulnerability in the git_connect_git function within connect.c in Git versions prior to 2.30.1. The vulnerability allows attackers to inject newline characters into repository paths, potentially enabling unexpected cross-protocol requests. This input validation flaw can be exploited through specially crafted git:// URLs containing URL-encoded newline sequences.
Critical Impact
Attackers can craft malicious git:// URLs that inject arbitrary protocol commands, potentially enabling cross-protocol attacks such as HTTP request injection through the git:// protocol handler.
Affected Products
- Git-scm Git versions before 2.30.1
- Debian Linux 10.0
Discovery Timeline
- 2021-08-31 - CVE CVE-2021-40330 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-40330
Vulnerability Analysis
The vulnerability resides in the git_connect_git() function in connect.c, which failed to validate repository paths for newline characters. When processing git:// URLs, the function would accept paths containing URL-encoded newline sequences (%0d%0a), allowing attackers to inject arbitrary data into the protocol stream.
The attack leverages the git:// protocol's text-based nature. By embedding newline characters followed by HTTP request syntax, an attacker could cause a Git client to send unintended HTTP requests to a target server. For example, a malicious URL like git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 would result in the Git client sending what appears to be an HTTP GET request after the git protocol preamble.
This type of cross-protocol attack can be particularly dangerous in environments where Git clients operate behind firewalls or in trusted network segments, as it could potentially be used to interact with internal services that would otherwise be inaccessible.
Root Cause
The root cause is improper input validation in the git_connect_git() function. The function did not sanitize or reject newline characters (\n and \r) in the host and repository path parameters before using them in protocol communications. This oversight allowed protocol injection attacks through specially crafted URLs.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious git:// URL containing URL-encoded newline characters
- Tricking a user or automated system into cloning or fetching from the malicious URL
- The newline injection causes the Git client to send additional protocol commands beyond the intended git protocol request
The patch introduced validation to explicitly reject newline characters in both the target host and repository path:
target_host = xstrdup(hostandport);
transport_check_allowed("git");
+ if (strchr(target_host, '\n') || strchr(path, '\n'))
+ die(_("newline is forbidden in git:// hosts and repo paths"));
/*
* These underlying connection commands die() if they
Source: GitHub Commit Changes
The corresponding test case validates that the client properly refuses malicious URLs:
)
'
+test_expect_success 'client refuses to ask for repo with newline' '
+ test_must_fail git clone "$GIT_DAEMON_URL/repo$LF.git" dst 2>stderr &&
+ test_i18ngrep newline.is.forbidden stderr
+'
+
test_remote_error()
{
do_export=YesPlease
Source: GitHub Commit Changes
Detection Methods for CVE-2021-40330
Indicators of Compromise
- Git client logs showing connection attempts to unexpected URLs or protocols
- Network traffic containing git:// URLs with URL-encoded newline sequences (%0d%0a)
- Unusual HTTP requests originating from Git client processes
Detection Strategies
- Monitor network traffic for git:// URLs containing encoded newline characters (%0d, %0a, %0d%0a)
- Implement URL filtering rules to detect and block malicious git:// protocol requests with injection patterns
- Audit Git client version deployments to identify unpatched installations below version 2.30.1
Monitoring Recommendations
- Enable verbose logging for Git operations in CI/CD pipelines and developer workstations
- Configure network intrusion detection systems (IDS) to alert on cross-protocol request patterns
- Monitor for error messages containing "newline is forbidden" which indicate attempted exploitation against patched systems
How to Mitigate CVE-2021-40330
Immediate Actions Required
- Upgrade Git to version 2.30.1 or later immediately
- Audit all Git installations across development environments, CI/CD systems, and servers
- Review logs for any suspicious git:// URL patterns that may indicate attempted exploitation
Patch Information
The vulnerability was fixed in Git version 2.30.1. The patch adds explicit validation in the git_connect_git() function to reject any repository URLs containing newline characters. The fix is straightforward and introduces a check using strchr() to detect newline characters in both the target host and path parameters, terminating with an error message if detected.
Review the complete patch details at the GitHub Commit Changes or compare versions using the GitHub Version Comparison. Debian users should refer to the Debian LTS Security Announcement.
Workarounds
- Avoid using git:// protocol URLs from untrusted sources until patching is complete
- Configure firewalls to restrict outbound connections from Git clients to known-good Git servers only
- Use HTTPS (https://) or SSH (git@) protocols instead of git:// where possible, as they have different parsing behavior
# Check Git version to verify patch status
git --version
# Update Git on Debian/Ubuntu systems
sudo apt-get update && sudo apt-get upgrade git
# Update Git on RHEL/CentOS systems
sudo yum update git
# Update Git on macOS via Homebrew
brew upgrade git
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
