CVE-2024-32004 Overview
CVE-2024-32004 is an arbitrary code execution vulnerability in Git, the widely-used distributed revision control system. This vulnerability allows an attacker to prepare a malicious local repository in such a way that, when cloned by a victim, arbitrary code will execute during the clone operation. The vulnerability affects multiple Git versions and has been addressed in security releases across all supported branches.
Critical Impact
Arbitrary code execution during git clone operations enables attackers to compromise developer workstations and CI/CD pipelines through malicious repositories.
Affected Products
- Git-scm Git (versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4)
- Fedoraproject Fedora 40
- Debian Linux 10.0 and 11.0
Discovery Timeline
- 2024-05-14 - CVE-2024-32004 published to NVD
- 2026-01-06 - Last updated in NVD database
Technical Details for CVE-2024-32004
Vulnerability Analysis
This vulnerability falls under CWE-114 (Process Control), allowing attackers to execute arbitrary code during the git clone operation. The flaw exists in how Git processes specially crafted local repositories, enabling code execution without requiring any additional user interaction beyond initiating a clone operation.
The attack requires local access and user interaction, meaning a victim must be enticed into cloning a malicious repository. Once the clone operation begins, the attacker's code executes with the privileges of the user running the git command. This poses significant risks in development environments, CI/CD pipelines, and any automated systems that clone repositories from potentially untrusted sources.
Root Cause
The vulnerability stems from improper handling of repository data during the clone process. When Git clones a local repository, certain repository configurations and hooks can be processed in ways that lead to code execution. An attacker can craft a repository structure that exploits this processing to run arbitrary commands.
Attack Vector
The attack vector is local, requiring the attacker to prepare a malicious repository that the victim will clone. Attack scenarios include:
- Shared development environments - An attacker with access to a shared filesystem creates a malicious repository that colleagues may clone
- Social engineering - Distributing malicious repositories through file sharing, USB drives, or archived repository downloads
- Compromised development tools - Integrating malicious repositories into development workflows or templates
The vulnerability mechanism involves Git processing malicious content within the repository structure during the clone operation. For technical details on the specific exploitation vectors, refer to the GitHub Security Advisory GHSA-xfc6-vwr8-r389.
Detection Methods for CVE-2024-32004
Indicators of Compromise
- Unexpected process spawning during git clone operations
- Unusual child processes launched by the git binary
- Suspicious repository structures containing embedded scripts or executables in non-standard locations
- Network connections initiated during clone operations that should be local-only
Detection Strategies
- Monitor git process trees for unexpected child processes during clone operations
- Implement application whitelisting to detect unauthorized code execution originating from git operations
- Deploy endpoint detection solutions that can identify anomalous behavior patterns during repository cloning
- Review git audit logs for clone operations from unusual source paths
Monitoring Recommendations
- Enable verbose logging for git operations in development environments
- Configure SIEM rules to alert on git processes spawning unexpected executables
- Monitor for file system changes in temporary directories during clone operations
- Implement behavioral analysis for development workstations to detect post-exploitation activities
How to Mitigate CVE-2024-32004
Immediate Actions Required
- Update Git to patched versions: 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4
- Avoid cloning repositories from untrusted sources until patches are applied
- Audit existing local repositories for suspicious content before cloning
- Implement repository source verification policies in CI/CD pipelines
Patch Information
Security patches are available across all supported Git branches. The fix is documented in Git Commit f4aa8c8. Organizations should update to the following patched versions:
| Branch | Patched Version |
|---|---|
| 2.45.x | 2.45.1 |
| 2.44.x | 2.44.1 |
| 2.43.x | 2.43.4 |
| 2.42.x | 2.42.2 |
| 2.41.x | 2.41.1 |
| 2.40.x | 2.40.2 |
| 2.39.x | 2.39.4 |
Distribution-specific updates are available through Fedora Package Announcement and Debian LTS Announcement.
Workarounds
- Only clone repositories from trusted and verified sources
- Use --no-local flag when cloning local repositories to force Git to use the standard transport mechanisms
- Implement network segmentation to isolate development environments from untrusted repository sources
- Review repository contents before cloning using archive extraction tools rather than git clone
# Verify Git version is patched
git --version
# If vulnerable, update Git on Debian/Ubuntu
sudo apt-get update && sudo apt-get install git
# If vulnerable, update Git on Fedora
sudo dnf update git
# Safer alternative for cloning local repositories
git clone --no-local /path/to/suspicious/repo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
