CVE-2024-32465 Overview
CVE-2024-32465 is a security protection bypass vulnerability in Git, the widely-used distributed revision control system. The Git project recommends avoiding work in untrusted repositories and instead cloning them first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but this vulnerability allows those protections to be bypassed.
This vulnerability is related to CVE-2024-32004, which covered the context of cloning local repositories owned by other users. However, there are circumstances where the fixes for CVE-2024-32004 are insufficient. For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as hooks could be configured to run within the context of that repository, leading to arbitrary code execution.
Critical Impact
Attackers can craft malicious Git repositories that bypass security protections, potentially executing arbitrary code through Git hooks when users interact with untrusted repository archives.
Affected Products
- Git-scm Git (versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4)
- Fedora Linux 40
- Debian Linux 10.0 and 11.0
Discovery Timeline
- May 14, 2024 - CVE-2024-32465 published to NVD
- January 5, 2026 - Last updated in NVD database
Technical Details for CVE-2024-32465
Vulnerability Analysis
This vulnerability stems from insufficient security controls when Git interacts with repositories from untrusted sources. While Git implemented protections in CVE-2024-32004 for cloning local repositories owned by other users, the security boundary remains incomplete for repositories obtained through alternative means, such as archive extraction.
The core issue is that Git's upload-pack component could potentially execute arbitrary commands specified in the configuration and hooks of a source repository. This is particularly dangerous when a user extracts a repository from a .zip file or similar archive obtained from an untrusted source, as the extracted .git directory may contain malicious hook scripts or configurations that execute when Git operations are performed.
The vulnerability is classified as CWE-22 (Path Traversal), indicating that the protection bypass allows operations that should be restricted to cross security boundaries.
Root Cause
The root cause lies in Git's lazy-fetching mechanism within the upload-pack component. When cloning or fetching from a partial repository (one cloned with --filter), the server-side upload-pack may need to fetch extra objects from its upstream to complete the request. This process could trigger the execution of arbitrary commands specified in the repository's configuration and hooks, which is dangerous when operating within untrusted .git directories.
The fix implements a safeguard by having upload-pack internally set the GIT_NO_LAZY_FETCH environment variable to prevent potentially malicious lazy fetch operations by default.
Attack Vector
The attack requires local access with user interaction. An attacker would:
- Create a malicious Git repository with crafted hooks or configuration
- Package the repository into an archive (e.g., .zip file)
- Distribute the archive to potential victims
- When a victim extracts and interacts with the repository using Git commands, the malicious hooks or lazy-fetch configurations execute
The following patch shows how Git now disables lazy-fetching by default in upload-pack:
// Security patch in builtin/upload-pack.c
packet_trace_identity("upload-pack");
read_replace_refs = 0;
/* TODO: This should use NO_LAZY_FETCH_ENVIRONMENT */
xsetenv("GIT_NO_LAZY_FETCH", "1", 0);
argc = parse_options(argc, argv, prefix, options, upload_pack_usage, 0);
Source: Git Commit 7b70e9e
The documentation patch explains the new security mechanism:
`GIT_NO_LAZY_FETCH`::
When cloning or fetching from a partial repository (i.e., one
itself cloned with `--filter`), the server-side `upload-pack`
may need to fetch extra objects from its upstream in order to
complete the request. By default, `upload-pack` will refuse to
perform such a lazy fetch, because `git fetch` may run arbitrary
commands specified in configuration and hooks of the source
repository (and `upload-pack` tries to be safe to run even in
untrusted `.git` directories).
This is implemented by having `upload-pack` internally set the
`GIT_NO_LAZY_FETCH` variable to `1`. If you want to override it
(because you are fetching from a partial clone, and you are sure
you trust it), you can explicitly set `GIT_NO_LAZY_FETCH` to
`0`.
Source: Git Commit 7b70e9e
Detection Methods for CVE-2024-32465
Indicators of Compromise
- Unexpected Git hook executions in repository directories obtained from external archives
- Presence of executable scripts in .git/hooks/ directories within extracted archives
- Unusual Git configuration entries in .git/config files from untrusted sources
- Network connections initiated by Git processes during routine local operations
Detection Strategies
- Monitor for Git processes spawning unexpected child processes, particularly shell interpreters
- Audit extracted archives containing .git directories for suspicious hook scripts
- Implement file integrity monitoring on development workstations to detect unauthorized Git hook modifications
- Use endpoint detection to identify Git operations on repositories from untrusted extraction paths
Monitoring Recommendations
- Enable comprehensive logging for Git operations across development environments
- Deploy SentinelOne's behavioral AI to detect anomalous process execution chains involving Git
- Monitor for GIT_NO_LAZY_FETCH environment variable manipulation that could indicate bypass attempts
- Track archive extractions that result in .git directory creation in user-writable locations
How to Mitigate CVE-2024-32465
Immediate Actions Required
- Update Git to patched versions: 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4
- Audit all existing repositories obtained from external archives for malicious hooks
- Implement organizational policies against using repositories from untrusted archive sources
- Review and remove any untrusted Git hooks in development environments
Patch Information
The vulnerability has been patched in Git versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. Security advisories and patches are available from:
- GitHub Security Advisory GHSA-vm9j-46j9-qvq4
- Git Commit 7b70e9e
- Debian LTS Announcement
- Fedora Package Announcement
Workarounds
- Avoid using Git in repositories obtained via archives from untrusted sources
- Always use git clone --no-local when cloning from untrusted local repositories
- Manually inspect .git/hooks/ and .git/config before performing Git operations on extracted repositories
- Set GIT_NO_LAZY_FETCH=1 environment variable as an additional safeguard
# Set environment variable to disable lazy fetching
export GIT_NO_LAZY_FETCH=1
# Safe clone from potentially untrusted source
git clone --no-local /path/to/untrusted/repo /path/to/clean/copy
# Verify Git version includes security patches
git --version
# Should show 2.45.1 or later for full protection
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
