Git < 2.45.1 — RCE
A maliciously crafted Git repository can achieve code execution when cloned on Windows (or macOS) due to case-insensitive filesystem handling of symlinks in submodules. Update Git to 2.45.1 / 2.44.1 / 2.43.4 immediately.
A developer who clones a malicious repository (including from GitHub, GitLab, or any Git hosting) executes attacker-controlled code automatically as part of the clone operation. This affects CI/CD pipelines, developer workstations, and any automated system that clones Git repositories.
Git allows repositories to contain submodules. On case-insensitive filesystems (Windows NTFS, macOS HFS+), an attacker can craft a repository where a symlink in a submodule points to the .git directory of the parent repository using a different case (e.g., ".GIT"). Git follows the symlink and writes hook scripts into the .git/hooks directory. When Git runs post-checkout hooks, the attacker's script executes.
Probably yes if any of these apply:
Affected OS versions
Proof of concept code was published within days of the May 2024 disclosure. CI/CD pipelines that clone untrusted or public repositories on Windows agents are especially at risk. A supply-chain attack scenario involves poisoning a well-known open-source repository's submodule to execute code on every developer who runs git clone --recursive.
Manual remediation steps
⏱ 5 minutes (no reboot required)Check Git Version
git --version
# Vulnerable if older than 2.43.4 / 2.44.1 / 2.45.1
Update Git for Windows
# Via winget:
winget upgrade Git.Git
# Or download the installer from https://git-scm.com/download/win
Immediate Workaround (if update is delayed)
# Disable symlinks in Git (reduces functionality but removes exploit path)
git config --global core.symlinks false
Verify
git --version
# Must show git version 2.45.1 or later
# Confirm symlinks setting if workaround was applied:
git config --global core.symlinks
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References