How a Git Submodule & Symlink Trick Triggers Remote Code Execution (CVE‑2024‑32002)

1. Vulnerability Overview

A critical remote‑code‑execution (RCE) flaw identified as CVE-2024-32002 affects Git when a repository is cloned recursively. An attacker can craft a repository that, once cloned, runs arbitrary commands on the victim’s machine, demonstrated by launching the calculator program.

2. Git Hooks

Git provides a hook mechanism where scripts placed in .git/hooks are automatically executed at specific events (e.g., pre‑commit, post‑checkout). These hooks are intended for automation such as code formatting or notifications, but they can also run any command the attacker supplies. pre-commit: runs before a commit is created. prepare-commit-msg: runs before the commit message editor opens. commit-msg: runs after the commit message is entered. post-commit: runs after a commit is recorded. pre-rebase: runs before a rebase operation. post-checkout: runs after git checkout. post-merge: runs after a merge completes.

3. Submodules

A submodule is a nested Git repository referenced in a parent project’s .gitmodules file. When cloning with the --recursive flag, Git automatically clones each listed submodule into the location specified by the path entry.

4. Symbolic Links

Git also supports symbolic links (symlinks), which are filesystem entries that point to another file or directory. On case‑insensitive platforms (Windows, macOS), a symlink named a that points to .git can be confused with the actual .git directory.

5. Exploit Mechanics

The attacker creates a malicious repository that includes a submodule. Inside the submodule a symlink a points to the parent .git directory. Because the filesystem is case‑insensitive, the submodule’s files are written into .git/modules/x, effectively inside Git’s private metadata area.

Attacker prepares a Git project that depends on a submodule.

The submodule contains a symlink a → .git.

When a victim runs

git clone --recursive [email protected]:amalmurali47/git_rce.git

, Git follows the symlink and writes the submodule’s content into .git/modules/x.

The submodule includes a .git/hooks/post-checkout script that launches calc (or any payload).

After the recursive clone finishes, Git executes the post-checkout hook, running the attacker’s code.

The proof‑of‑concept shows the calculator opening on both Windows and macOS.

6. Affected Versions

v2.45.0

v2.44.0

<=v2.43.3

<=v2.42.1

v2.41.0

<=v2.40.1

<=v2.39.3

7. Mitigation

Check your Git version with git --version. If it falls within the affected range, upgrade to a patched release immediately. Avoid cloning repositories from untrusted sources, especially with the --recursive option, and consider disabling automatic hook execution.