Multiple Git vulnerabilities in 2.24 and older
Learn more about the security vulnerabilities in Git 2.24 and older.

Today, the Git project released a series of security patches to address multiple security vulnerabilities in versions 2.24 and older.
These updates are highly recommended for all Git users, but they’re especially critical if you use Git on Windows[1]. If you clone untrusted repositories, there is no workaround that avoids the risk of any vulnerabilities disclosed in this post, except for updating.
If you use Git on another operating system, this update is still highly recommended. However, if you can’t update immediately, here are some things you can do to reduce your risk:
- Avoid running
git clone --recurse-submodules
andgit submodule update
with untrusted repositories. - Avoid running
git fast-import
on untrusted input streams. It’s still safe to use remote helpers that usegit fast-import
on the backend (such asgit-remote-hg
,git-p4
). - Avoid cloning untrusted repositories into NTFS mounts on any platform.
The new releases contain partial support for rejecting pushes that exploit these vulnerabilities, but some cases remain uncovered. It’s important to update, and not rely on hosting providers to block all exploits.
If you use GitHub Enterprise Server, these fixes will be included in the next patch release for all supported versions.
[1]: CVEs CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, and, CVE-2019-1354 are Windows-specific vulnerabilities that can lead to remote code execution when cloning an untrusted repository. They’re patched only in today’s security releases. CVE-2019-1352 can affect non-Windows users, but only if you mount an NTFS volume.
Tags:
Written by
Related posts

From first commits to big ships: Tune into our new open source podcast
Introducing the brand new GitHub Podcast: A show dedicated to the topics, trends, stories, and culture in and around the open source developer community on GitHub.

Scaling for impact: How GitHub Copilot supercharges smallholder farmers
Empowering 10 million farm families by 2030 to generate $1 billion in new revenue. How GitHub helps One Acre Fund’s mission — driving real impact across Africa.

We need a European Sovereign Tech Fund
Open source software is critical infrastructure, but it’s underfunded. With a new feasibility study, GitHub’s developer policy team is building a coalition of policymakers and industry to close the maintenance funding gap.