CVE-2024-32002

Name of the Vulnerable Software and Affected Versions Git versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4

Description The issue allows an attacker to execute arbitrary code when cloning repositories with submodules. This is possible because Git can be fooled into writing files not into the submodule's worktree but into a .git/ directory, enabling the execution of a hook during the clone operation without the user's opportunity to inspect the code. If symbolic link support is disabled in Git, the attack won't work. It is recommended to avoid cloning repositories from untrusted sources.

Recommendations To resolve the issue for each affected version, update Git to version 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4, or later. As a temporary workaround, consider disabling symbolic link support in Git via git config --global core.symlinks false. For Git for Windows users, update Git by running "git update-git-for-windows".