Git Protocol Injection Vulnerability Allowing Arbitrary File Writes and Potential Code Execution

A vulnerability in Git versions 2.50.0, 2.49.0, 2.48.0 through 2.48.1, 2.47.0 through 2.47.2, 2.46.0 through 2.46.3, 2.45.0 through 2.45.3, 2.44.0 through 2.44.3, and 2.43.6 and prior allows for protocol injection via the bundle-uri parameter. When cloning a repository, the Git client can fetch a bundle advertised by the remote server. However, the client does not adequately validate these bundles, enabling the server to inject protocols that could lead the client to write the fetched bundle to a location controlled by the adversary. This could result in arbitrary code execution, as the fetched content is fully controlled by the server. The vulnerability is not present by default and can be managed with the bundle.heuristic config option. Exploitation may require the adversary to control the repository's clone destination, potentially through social engineering or by using recursive clones with submodules, which can be avoided by disabling recursive cloning.

Impact

Successful exploitation allows for arbitrary file writes, with the potential for arbitrary code execution, depending on the injected content and its placement within the file system.

Remediation

Users can update to Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.1. Additionally, the bundle.heuristic config option can be used to disable the use of bundle URIs.