SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-32002

CVE-2024-32002: Git Submodule Hook RCE Vulnerability

CVE-2024-32002 is a remote code execution vulnerability in Git that exploits submodule handling to write malicious hooks. Attackers can execute code during clone operations. This article covers technical details, impact, and patches.

Updated:

CVE-2024-32002 Overview

Git is a widely-used revision control system. Prior to versions 2.45.1, repositories with submodules could be exploited due to a bug allowing files to be written into a .git/ directory rather than the submodule's worktree. This vulnerability enables the execution of a malicious hook during the cloning process, eliminating user inspection opportunities.

Critical Impact

This vulnerability could result in unauthorized code execution leading to potentially severe compromise.

Affected Products

  • Git version 2.41.0
  • Git version 2.44.0
  • Git version 2.45.0

Discovery Timeline

  • 2024-05-14 - CVE CVE-2024-32002 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2024-32002

Vulnerability Analysis

Git's vulnerability arises from improper path sanitization within repository submodules, resulting in potential Path Traversal (CWE-22) and Link Following (CWE-59) issues. This flaw can be exploited to execute unauthorized scripts hidden within submodules.

Root Cause

The root cause is the inadequate validation of paths which allows submodule repositories to interfere with the .git/ directory settings through symbolic links.

Attack Vector

The attack can be conducted over a network by tricking users into cloning a malicious repository which houses submodules with crafted symbolic links.

bash
# Example exploitation code (sanitized)
git clone --recurse-submodules <malicious-repo>

Detection Methods for CVE-2024-32002

Indicators of Compromise

  • Unexplained scripts in .git/hooks/
  • Unauthorized changes in repository configuration
  • Unexpected network activity during repository clone

Detection Strategies

Security software can detect unusual Git operations, particularly anomalous submodule paths. Tools should monitor for unexpected resource accesses and configuration changes within .git directories.

Monitoring Recommendations

Implement logging for all Git operations and enable alerts for modifications within .git directories to identify potential exploit attempts.

How to Mitigate CVE-2024-32002

Immediate Actions Required

  • Avoid cloning repositories from untrusted sources
  • Utilize git config --global core.symlinks false to disable symbolic link support where possible
  • Regularly review submodule contents

Patch Information

The vulnerability has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. Implement these updates immediately to mitigate risk.

Workarounds

Disabling symbolic links in Git provides a temporary safeguard against this vulnerability.

bash
# Configuration example
git config --global core.symlinks false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne