Skip to main content
CVE Vulnerability Database

CVE-2024-3817: Hashicorp Go-getter Argument Injection

CVE-2024-3817 is an argument injection vulnerability in Hashicorp Go-getter library that occurs when executing Git to discover remote branches. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-3817 Overview

HashiCorp's go-getter library contains an argument injection vulnerability that occurs when executing Git to discover remote branches. The go-getter library is a widely used Go library that downloads files or directories from various sources using a URL-style addressing scheme. When the library processes Git repository URLs to discover remote default branches, insufficient input validation allows attackers to inject malicious arguments into the Git command execution.

This vulnerability does not affect the go-getter/v2 branch and package, limiting the impact to older versions of the library.

Critical Impact

This argument injection vulnerability allows unauthenticated remote attackers to execute arbitrary commands on systems using the vulnerable go-getter library, potentially leading to complete system compromise.

Affected Products

  • HashiCorp go-getter (v1 branch)
  • Applications and tools built using the vulnerable go-getter library
  • Infrastructure automation tools that depend on go-getter for source fetching

Discovery Timeline

  • 2024-04-17 - CVE-2024-3817 published to NVD
  • 2025-12-11 - Last updated in NVD database

Technical Details for CVE-2024-3817

Vulnerability Analysis

The vulnerability resides in how go-getter handles Git URLs when discovering remote branches. When a user or automated process requests to fetch content from a Git repository, the library constructs and executes Git commands to interact with the remote repository. The flaw occurs because user-supplied input within the URL is not properly sanitized before being passed as arguments to the Git executable.

This argument injection weakness (CWE-88) allows attackers to craft malicious URLs that inject additional arguments into the Git command line. Since Git supports various flags that can execute arbitrary commands or modify system behavior, an attacker can leverage this to achieve remote code execution on the target system.

Root Cause

The root cause of this vulnerability is improper neutralization of argument delimiters in the go-getter library's Git getter implementation. When constructing command-line arguments for Git operations, the library fails to properly sanitize or validate URL components that are passed to the git executable. This allows specially crafted URLs containing argument separators (such as --) or Git-specific options to inject malicious parameters.

Attack Vector

An attacker can exploit this vulnerability by providing a maliciously crafted Git URL to any application that uses the vulnerable go-getter library. The attack can be executed remotely without authentication and requires no user interaction. Common attack scenarios include:

  1. Supply chain attacks where a malicious repository URL is introduced into configuration files
  2. Compromising CI/CD pipelines that use go-getter for fetching dependencies
  3. Targeting infrastructure-as-code tools like Terraform that rely on go-getter

The exploitation involves crafting a Git URL that includes embedded Git command-line arguments. When go-getter processes this URL to discover remote branches, the injected arguments are executed as part of the Git command, potentially allowing arbitrary command execution through Git hooks or configuration options.

Detection Methods for CVE-2024-3817

Indicators of Compromise

  • Unusual Git command executions with unexpected arguments in process logs
  • Suspicious outbound network connections from Git processes
  • Unexpected file modifications following Git fetch operations
  • Anomalous child processes spawned by Git executable
  • Presence of malformed or suspicious Git URLs in application configuration files

Detection Strategies

  • Monitor process creation events for Git executions with suspicious argument patterns
  • Implement network monitoring to detect unusual Git protocol traffic to untrusted destinations
  • Review application logs for error messages related to malformed Git URLs
  • Deploy endpoint detection to identify command injection patterns in Git invocations
  • Audit dependency manifests and configuration files for suspicious repository URLs

Monitoring Recommendations

  • Enable verbose logging for applications using go-getter library
  • Implement real-time alerting for Git command executions with unusual flags
  • Monitor for lateral movement or privilege escalation following Git operations
  • Track changes to infrastructure configuration files that specify Git repository URLs

How to Mitigate CVE-2024-3817

Immediate Actions Required

  • Inventory all applications and dependencies using HashiCorp go-getter v1 library
  • Upgrade to go-getter/v2 which is not affected by this vulnerability
  • Review and validate all Git repository URLs in configuration files
  • Implement network segmentation to limit outbound connections from affected systems
  • Apply the principle of least privilege to services using go-getter

Patch Information

HashiCorp has released updated versions of the go-getter library that address this vulnerability. Organizations should upgrade to the patched version or migrate to go-getter/v2 which is not affected. For detailed patch information and remediation guidance, refer to the HashiCorp Security Advisory HCSEC-2024-09.

Workarounds

  • Restrict network access to trusted Git repositories only using firewall rules or proxy configurations
  • Implement URL allowlisting to prevent fetching from untrusted Git sources
  • Use local Git mirrors instead of direct remote repository access where possible
  • Deploy application-level input validation for Git URLs before passing to go-getter
bash
# Example: Restrict Git repository access to trusted sources
# Add to firewall or network policy configuration
# Allow only connections to approved Git hosting services
iptables -A OUTPUT -p tcp --dport 22 -d github.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -d github.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 9418 -d github.com -j ACCEPT
# Block all other Git protocol traffic
iptables -A OUTPUT -p tcp --dport 9418 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.