Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-24575

CVE-2024-24575: Libgit2 Denial of Service Vulnerability

CVE-2024-24575 is a denial of service vulnerability in Libgit2 that allows attackers to trigger an infinite loop via crafted inputs. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2024-24575 Overview

CVE-2024-24575 is a denial-of-service vulnerability in libgit2, a portable C implementation of Git core methods used to embed Git functionality into applications. Specially crafted input passed to git_revparse_single can force the revparse loop into an infinite iteration. The defect resides in src/libgit2/revparse.c, where the parser fails to handle an edge case in user-supplied spec strings. An attacker can also influence the loop to access arbitrary memory, which may leak data if the parsed rev spec is reflected back. The flaw affects libgit2 versions starting at 1.4.0. Maintainers fixed the issue in releases 1.6.5 and 1.7.2.

Critical Impact

Remote, unauthenticated attackers can trigger an infinite loop in any application calling git_revparse_single, exhausting CPU resources and degrading service availability [CWE-400].

Affected Products

  • libgit2 versions 1.4.0 through 1.6.4
  • libgit2 versions 1.7.0 and 1.7.1
  • Fedora packages shipping vulnerable libgit2 builds

Discovery Timeline

  • 2024-02-06 - CVE-2024-24575 published to the National Vulnerability Database (NVD)
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-24575

Vulnerability Analysis

The revparse function in src/libgit2/revparse.c iterates over a caller-supplied spec string to resolve Git object references. The loop lacks bounds enforcement for a specific terminator pattern, which lets crafted input keep the parser cycling without progress. Because the loop also indexes into the spec buffer based on parser state, the same edge case can cause reads of memory outside the intended region. Applications linking libgit2 and accepting rev specs from untrusted sources, including hosted Git tooling and code-analysis pipelines, are exposed to availability loss. The vulnerability is categorized as Denial of Service through Uncontrolled Resource Consumption [CWE-400].

Root Cause

The parser does not handle a bare @ followed immediately by a null terminator. When the next character lookup spec[pos+1] returns \0, the surrounding branch falls through without advancing the parser state. The loop condition remains satisfied, producing infinite iteration and potential out-of-bounds reads on subsequent indices.

Attack Vector

An attacker delivers a malicious rev spec to any application surface that forwards user input to git_revparse_single. This includes web frontends for Git hosting, IDE plugins, CI/CD runners, and security scanners that resolve references from pull requests or webhook payloads. No authentication is required when the input path is publicly reachable.

c
				if (temp_object != NULL)
					base_rev = temp_object;
				break;
+			} else if (spec[pos+1] == '\0') {
+				spec = "HEAD";
+				break;
			}
			/* fall through */

Source: libgit2 commit add2dabb. The patch detects the trailing null after @, substitutes the spec with HEAD, and breaks out of the parser loop, eliminating both the infinite loop and the out-of-bounds index path.

Detection Methods for CVE-2024-24575

Indicators of Compromise

  • Sustained 100% CPU usage in processes linked against libgit2 versions between 1.4.0 and 1.7.1.
  • Application logs showing requests containing bare @ rev specs immediately followed by string termination.
  • Hung worker threads or timeouts in services that resolve user-supplied Git references.

Detection Strategies

  • Inventory binaries and containers using ldd or SBOM tooling to enumerate processes linking libgit2.so below 1.6.5 or 1.7.2.
  • Inspect HTTP and API logs for parameters carrying rev specs and correlate with thread-stall or timeout events.
  • Run unit tests passing the @\0 boundary input to identify code paths that invoke git_revparse_single on untrusted data.

Monitoring Recommendations

  • Alert on long-running CPU spikes in Git-dependent services such as code review platforms, CI runners, and repository indexers.
  • Track child-process duration anomalies for binaries that embed libgit2, including language bindings like pygit2 and rugged.
  • Forward application and host telemetry to a centralized data lake to correlate parser hangs with request payloads.

How to Mitigate CVE-2024-24575

Immediate Actions Required

  • Upgrade libgit2 to version 1.6.5 or 1.7.2, or later, across all hosts, containers, and developer workstations.
  • Rebuild and redeploy applications and language bindings that statically link libgit2 against the patched release.
  • Apply distribution updates from Fedora and other vendors that have shipped advisories referencing this CVE.

Patch Information

The upstream fix is implemented in commit add2dabb3c16aa49b33904dcdc07cd915efc12fa and released in libgit2 v1.6.5 and libgit2 v1.7.2. Additional context is available in the GitHub Security Advisory GHSA-54mf-x2rh-hq9v.

Workarounds

  • Validate and reject rev spec inputs containing a trailing bare @ before passing them to git_revparse_single.
  • Enforce CPU and wall-clock limits on processes invoking libgit2 so a hung parser cannot exhaust host resources.
  • Place untrusted Git operations behind a sandboxed worker with strict timeouts and restart policies.
bash
# Verify installed libgit2 version on Linux
pkg-config --modversion libgit2
ldconfig -p | grep libgit2

# Fedora / RHEL update
sudo dnf upgrade --refresh libgit2

# Debian / Ubuntu update
sudo apt-get update && sudo apt-get install --only-upgrade libgit2-1.7

# Container image rebuild
docker build --no-cache --pull -t myapp:patched .

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.