CRITICAL · CVSS 9.0
CVE-2024-32002 — Git RCE via case-insensitive filesystem symlink
On case-insensitive filesystems (Windows, macOS default), Git could be tricked into writing outside the repo root via submodule + symlink tricks, enabling RCE on clone.
Affects
- Git < 2.39.4 / 2.40.2 / 2.41.1 / 2.42.2 / 2.43.4 / 2.44.1
What an attacker does
The attacker publishes a malicious Git repository. A developer on Windows or macOS clones it; specially-crafted submodule names + symlinks cause Git to execute hooks outside the repo — arbitrary code runs on the developer's machine during clone.
How to detect
`git --version` on every developer machine.
How to fix
Upgrade Git. On CI: verify Git version in the runner image.
How Securie catches it
Securie's developer-machine security checks verify Git version in CI.