Today, the Git project released a series of security patches to address multiple security vulnerabilities in versions 2.24 and older.
These updates are highly recommended for all Git users, but they’re especially critical if you use Git on Windows. If you clone untrusted repositories, there is no workaround that avoids the risk of any vulnerabilities disclosed in this post, except for updating.
If you use Git on another operating system, this update is still highly recommended. However, if you can’t update immediately, here are some things you can do to reduce your risk:
- Avoid running
git clone --recurse-submodulesand
git submodule updatewith untrusted repositories.
- Avoid running
git fast-importon untrusted input streams. It’s still safe to use remote helpers that use
git fast-importon the backend (such as
- Avoid cloning untrusted repositories into NTFS mounts on any platform.
The new releases contain partial support for rejecting pushes that exploit these vulnerabilities, but some cases remain uncovered. It’s important to update, and not rely on hosting providers to block all exploits.
If you use GitHub Enterprise Server, these fixes will be included in the next patch release for all supported versions.
: CVEs CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, and, CVE-2019-1354 are Windows-specific vulnerabilities that can lead to remote code execution when cloning an untrusted repository. They’re patched only in today’s security releases. CVE-2019-1352 can affect non-Windows users, but only if you mount an NTFS volume.