Remote Code Execution Vulnerability in Git (CVE-2024-32002) Explained

A critical Remote Code Execution (RCE) vulnerability identified as CVE-2024-32002 allows an attacker to execute arbitrary code on a victim's machine simply by cloning a malicious Git repository.

The exploit leverages three Git features: hooks, submodules, and symbolic links. Git hooks are scripts stored in .git/hooks that run automatically on specific Git events (e.g., post-checkout , pre-commit ). Submodules embed one Git repository inside another, with their locations defined in .gitmodules . When cloning with the --recursive flag, Git fetches submodules and places them under .git/modules/ . Symbolic links (symlinks) are filesystem entries that point to other files or directories.

The attacker creates a repository that includes a submodule whose path is a case‑insensitive name (e.g., A/modules/x ) and adds a symlink named a that points to the parent .git directory. On case‑insensitive file systems (Windows, macOS), the submodule is written into .git/modules/x , effectively inserting a hooks folder with malicious scripts into the Git internal directory. When the clone finishes, the post-checkout hook is triggered, executing the attacker’s payload (e.g., launching the calculator as a proof‑of‑concept).

git clone --recursive [email protected]:amalmurali47/git_rce.git

The vulnerability affects many Git versions, including v2.45.0, v2.44.0, and all versions up to v2.39.3. Users should check their Git version with git --version and upgrade to a patched release.

Mitigation: avoid cloning unknown repositories, disable recursive submodule fetching when unnecessary, and keep Git updated.