Two critical security vulnerabilities in remote code execution are fixed by Git

Git has fixed two security flaws of critical severity that can allow an attacker to execute arbitrary codes after exploiting heap-based buffer overload weaknesses.

Untrusted search paths weakness is a third Windows-specific vulnerability that affects the Git GUI tool. This allows unauthenticated threat agents to execute low-complexity, untrusted code.

On Wednesday, the first two vulnerabilities were fixed ( within the commit formatting mechanism; and inside the.gitattributes Parser).

CVE-20222-41953, the third, is still in development. However, users have the option to work around this issue by using Git GUI instead of the Git GUI software.

These vulnerabilities were discovered by security experts at X41 (Eric Sesterhenn, Markus Vervier), and GitLab [Joern Schneeweisz] as part of a sponsored .

An attacker can trigger heap-based memory corruption in clone and pull operations. This could lead to code execution. A second critical problem is code execution in archive operations, which are commonly done by Git forges,” X41 security experts stated .

“Additionally, we identified a large number of integer-related issues that could lead to out-of bound reads, denial-of service situations or poorly handled corner cases with large input.”


ffected versions

Versions etched




HTML3_ git

<= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0

>= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1

The best way to protect yourself against attackers trying to exploit these weaknesses is to update to Git version 2.39.1.

If users are unable to update immediately to fix the CVE-202-21903 remote code execution flaw, they can take these steps to make sure that hackers cannot exploit the Git vulnerability.

  • Eliminate ‘git archives’ from untrusted repositories.
  • If the “git archive” is visible via the “git daemon,” disable it while working with untrusted repositories using the “git config –global Daemon.uploadArch false” command

“We recommend all installations that are affected by the issues [..] be updated to the most recent version as soon as possible , GitLab .