CVE-2022-24765 Overview
Git for Windows contains an uncontrolled search path vulnerability that affects users working on multi-user machines where untrusted parties have write access to the same hard disk. This vulnerability allows malicious actors to create a C:\.git folder that Git operations will pick up when searching for a Git directory, even when running commands outside of a repository. Any configuration specified in this malicious .git directory would be respected by Git, potentially leading to arbitrary code execution or credential theft.
Critical Impact
Attackers with local write access can hijack Git operations across all users on a Windows system by planting a malicious .git folder at the root of a drive, enabling arbitrary configuration injection and potential code execution.
Affected Products
- Git for Windows (versions prior to v2.35.2)
- Microsoft Windows (when running Git)
- Apple Xcode (bundled Git)
- Fedora 34, 35, 36, 37
- Debian Linux 10.0
Discovery Timeline
- 2022-04-12 - CVE-2022-24765 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24765
Vulnerability Analysis
This vulnerability (CWE-427: Uncontrolled Search Path Element) exploits Git's directory traversal behavior when searching for a .git directory. When Git commands are executed, the application searches upward through the directory hierarchy looking for a .git folder to determine repository context. On Windows systems, this search can traverse all the way to the root of the drive (e.g., C:\).
The vulnerability manifests in several distinct scenarios. Git Bash users who have configured GIT_PS1_SHOWDIRTYSTATE are vulnerable because their shell prompt continuously checks Git repository status. Users with posh-git installed become vulnerable simply by starting PowerShell, as the module automatically queries Git status. IDE users, particularly those using Visual Studio, are affected when creating new projects, as the IDE reads and respects configuration from C:\.git\config. Users of the Microsoft fork of Git are vulnerable upon starting Git Bash.
Root Cause
The root cause lies in Git's recursive directory search algorithm for locating .git directories. When Git operations are invoked outside of a legitimate repository, the search continues upward through parent directories until it either finds a .git folder or reaches the filesystem root. On Windows, this allows a .git folder placed at C:\ to be discovered and trusted by Git operations running anywhere on that drive.
The vulnerability is particularly severe because Git configuration files can specify arbitrary commands to execute through hooks, credential helpers, or other extensible mechanisms. An attacker-controlled .git\config file could configure malicious hooks or helpers that execute when unsuspecting users run Git commands.
Attack Vector
The attack requires local access to create a folder at the root of a Windows drive. Once the C:\.git folder is created with a malicious configuration, any user running Git commands on that drive outside of a legitimate repository will have their Git operations hijacked.
The attack can be triggered passively through IDE operations, shell prompts that display Git status, or any automated Git tooling. This makes the vulnerability particularly dangerous in shared computing environments such as development workstations, educational computer labs, or enterprise shared infrastructure.
Detection Methods for CVE-2022-24765
Indicators of Compromise
- Presence of .git folders at drive roots (e.g., C:\.git, D:\.git)
- Unexpected Git configuration files in C:\.git\config containing hooks or credential helpers
- Anomalous Git hook scripts in C:\.git\hooks\ directory
- Unusual processes spawned as children of Git, IDE, or PowerShell processes
Detection Strategies
- Monitor file system activity for creation of .git directories at drive roots using Windows Security Event logging
- Implement SIEM rules to detect access patterns to C:\.git or similar paths across multiple user accounts
- Deploy endpoint detection to identify Git processes reading configuration from unexpected locations outside user profiles
- Audit Git configuration loading behavior through process monitoring and command-line logging
Monitoring Recommendations
- Enable Windows file system auditing on root directories of all drives where Git is used
- Configure SentinelOne's behavioral AI to detect suspicious directory creation at filesystem roots
- Implement alerts for Git processes that reference .git directories outside of normal repository paths
- Monitor for unauthorized modifications to environment variables like GIT_CEILING_DIRECTORIES
How to Mitigate CVE-2022-24765
Immediate Actions Required
- Upgrade Git for Windows to version 2.35.2 or later immediately
- Audit all Windows systems for existing .git folders at drive roots and remove any suspicious configurations
- Create protected .git folders at drive roots with restricted permissions to prevent malicious folder creation
- Define or extend the GIT_CEILING_DIRECTORIES environment variable to include parent directories of user profiles (e.g., C:\Users)
Patch Information
The vulnerability has been patched in Git for Windows v2.35.2. Users should update to this version or later to receive the security fix. For detailed information, see the GitHub Security Advisory GHSA-vw2c-22j4-2fh2.
Additional vendor updates are available:
- Apple Xcode: See Apple Support Article HT213261
- Fedora: Multiple package announcements available through the Fedora Package Announce mailing list
- Debian: See Debian LTS Announcement
- Gentoo: See GLSA 202312-15
Workarounds
- Create .git folders on all drives where Git commands are run, then remove read/write access from those folders to prevent attackers from using them
- Define or extend the GIT_CEILING_DIRECTORIES environment variable to cover the parent directory of user profiles (e.g., C:\Users if profiles are in C:\Users\username)
- Disable GIT_PS1_SHOWDIRTYSTATE in Git Bash configurations to prevent shell prompt Git status checks
- Uninstall or disable posh-git until systems are patched
# Set GIT_CEILING_DIRECTORIES to prevent traversal above user profiles
# Add to system or user environment variables
setx GIT_CEILING_DIRECTORIES "C:\Users" /M
# Create protected .git folder at drive root (run as Administrator)
mkdir C:\.git
icacls C:\.git /inheritance:r /deny "Everyone:(OI)(CI)(F)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
