CVE-2023-25652 Overview
CVE-2023-25652 is a path traversal vulnerability in Git, the widely-used distributed revision control system. By feeding specially crafted input to git apply --reject, an attacker can overwrite files outside the working tree with partially controlled contents corresponding to the rejected hunk(s) from a malicious patch. This vulnerability affects multiple Git versions prior to the security patches released in April 2023.
Critical Impact
Attackers can exploit this vulnerability to write arbitrary content to locations outside the intended Git working directory, potentially overwriting system configuration files, injecting malicious code, or compromising the integrity of the target system.
Affected Products
- Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1
- Git version 2.40.0
- Fedora 37 and Fedora 38 (via packaged Git versions)
Discovery Timeline
- 2023-04-25 - CVE-2023-25652 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-25652
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the git apply command when used with the --reject flag. When Git applies a patch that fails to apply cleanly, it creates a .rej file containing the rejected hunks. The vulnerability allows an attacker to craft a malicious patch that causes Git to write the .rej file to an arbitrary location outside the working tree.
The attack requires no authentication and can be executed remotely if a user applies a patch from an untrusted source. The integrity impact is high as attackers can overwrite files with partially controlled contents, though confidentiality and availability are not directly affected.
Root Cause
The root cause lies in insufficient path validation when Git determines where to write the .rej file for rejected patch hunks. The code in apply.c did not properly sanitize the path destination, and notably did not handle the case where a symbolic link existed at the .rej file location. This allowed crafted patches to escape the working directory boundary and write rejected content to arbitrary filesystem locations via symlink following.
Attack Vector
The attack vector is network-based, as malicious patches can be distributed through various channels including email, pull requests, or malicious repositories. An attacker crafts a patch file with path components designed to traverse outside the working directory. When a victim runs git apply --reject on this malicious patch, the rejected hunks are written to the attacker-specified location. The partially controlled contents (the rejected hunks) could contain malicious configurations, scripts, or other harmful data.
// Security fix in apply.c - handling symlink attack vector
// Source: https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
FILE *rej;
char namebuf[PATH_MAX];
struct fragment *frag;
- int cnt = 0;
+ int fd, cnt = 0;
struct strbuf sb = STRBUF_INIT;
for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
The patch introduces a file descriptor variable to properly handle the file creation, ensuring that existing symlinks at the .rej file location are removed before writing, preventing the symlink attack vector.
Detection Methods for CVE-2023-25652
Indicators of Compromise
- Unexpected .rej files appearing outside of Git working directories
- Symlinks with .rej extensions in Git repositories that point to sensitive system files
- Modified system configuration files or scripts with patch hunk markers (@@ notation)
- File system access logs showing Git processes writing to unexpected locations
Detection Strategies
- Monitor git apply command executions with the --reject flag, especially when processing patches from external sources
- Implement file integrity monitoring on critical system paths to detect unauthorized modifications
- Audit patch files before application using git apply --stat to identify suspicious path references
- Deploy endpoint detection rules to flag Git processes writing files outside expected repository boundaries
Monitoring Recommendations
- Enable comprehensive logging for Git operations across development environments
- Configure SIEM alerts for file write events by Git processes to sensitive directories like /etc/, /root/, or system binary locations
- Implement behavioral analytics to detect unusual Git command patterns, particularly git apply --reject from untrusted sources
- Monitor for creation of symlinks with .rej extensions within repository directories
How to Mitigate CVE-2023-25652
Immediate Actions Required
- Upgrade Git to a patched version: 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1 or later
- Avoid using git apply with --reject flag when applying patches from untrusted sources
- Inspect patches before applying using git apply --stat to review affected files and paths
- Establish policies requiring patch review before application in development workflows
Patch Information
Security patches have been released by the Git project and are available in the versions listed above. The fix addresses the path traversal issue by properly sanitizing output paths and removing existing symlinks at .rej file locations before writing. For detailed patch information, see the GitHub Security Advisory GHSA-2hvf. Additional commit details are available at Git Commit #18e2b1c and Git Commit #668f2d5.
Workarounds
- Do not use git apply with --reject when applying patches from untrusted sources
- Always inspect patches before applying using git apply --stat to review what files will be affected
- Avoid applying patches that would create conflicts where a symbolic link corresponding to the *.rej file exists
- Consider using git apply --check to test patches in a dry-run mode before actual application
- Implement patch review workflows in CI/CD pipelines to validate patches before they reach developer workstations
# Safe patch inspection before applying
git apply --stat suspicious-patch.patch
git apply --check suspicious-patch.patch
# If you must use --reject, ensure no symlinks exist at potential .rej locations
find . -type l -name "*.rej" -delete
# Upgrade Git to patched version (example for Debian/Ubuntu)
sudo apt update && sudo apt install git
# Verify Git version after upgrade
git --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
