Git clone vulnerability announced
Today, the Git project released new versions to address CVE-2021-21300: a security vulnerability in the delayed checkout mechanism used by Git LFS during git clone operations affecting versions 2.15 and…

Today, the Git project released new versions to address CVE-2021-21300: a security vulnerability in the delayed checkout mechanism used by Git LFS during git clone
operations affecting versions 2.15 and newer.
These updates address an issue where a specially crafted repository can execute code during a git clone
on case-insensitive filesystems which support symbolic links by abusing certain types of clean/smudge filters, like those configured by Git LFS.
Upgrade to the latest Git version
The most effective way to protect against this vulnerability is to upgrade to 2.30.2. If you can’t update immediately, you can reduce your risk by doing any of the following:
- Disable support for symbolic links in Git by running
git config
.
--global core.symlinks false - Disable support for process filters. (You can see if any of these are configured on your system by running
git config
1)
--show-scope --get-regexp 'filter\..*\.process' - Avoid cloning untrusted repositories.
GitHub itself is not vulnerable to this attack. We do not store checked out copies of repositories on our servers, except for GitHub Pages, which does not use any clean/smudge filters.
Credit for finding and fixing this vulnerability is shared among Matheus Tavares and Johannes Schindelin.
1. In the Windows Command Prompt, replace the single quotes in this example with double quotes.
Tags:
Written by
Related posts

From first commits to big ships: Tune into our new open source podcast
Introducing the brand new GitHub Podcast: A show dedicated to the topics, trends, stories, and culture in and around the open source developer community on GitHub.

Scaling for impact: How GitHub Copilot supercharges smallholder farmers
Empowering 10 million farm families by 2030 to generate $1 billion in new revenue. How GitHub helps One Acre Fund’s mission — driving real impact across Africa.

We need a European Sovereign Tech Fund
Open source software is critical infrastructure, but it’s underfunded. With a new feasibility study, GitHub’s developer policy team is building a coalition of policymakers and industry to close the maintenance funding gap.