Patrick Steinhardt

Name of the Vulnerable Software and Affected Versions: Git versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4 Description: The issue is related to Git, a revision control system. When cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. This occurs because the optimizations for local cloning include attempting to hard link the object files instead of copying them, and the checks against symbolic links in the source repository can be bypassed. Recommendations: To resolve the issue for each affected version, update to version 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4, or later. As a temporary workaround, consider using the `--no-local` option when cloning a repository over the filesystem to prevent the creation of hardlinks. Restrict access to the `objects/` directory in the target Git repository to minimize the risk of exploitation. Avoid using the filesystem protocol when cloning a local repository, and instead explicitly specify the `file://` protocol to prevent the use of local cloning optimizations.