CVE-2024-52005

Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329	Vendor Advisory
https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:git:git::::::::
	cpe:2.3:a:git:git::::::::
	cpe:2.3:a:git:git::::::::
	cpe:2.3:a:git:git::::::::
	cpe:2.3:a:git:git::::::::
	cpe:2.3:a:git:git::::::::
	cpe:2.3:a:git:git::::::::
	cpe:2.3:a:git:git::::::::
	cpe:2.3:a:git:git::::::::

History

18 Dec 2025, 16:00

Type	Values Removed	Values Added
References	~~() https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329 -~~	() https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329 - Vendor Advisory
References	~~() https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net -~~	() https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net - Mailing List, Third Party Advisory
CPE		cpe:2.3:a:git:git::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
First Time		Git git Git
Summary		(es) Git es una herramienta de gestión de código fuente. Al clonar desde un servidor (o buscar o enviar), los mensajes de información o error se transportan desde el proceso Git remoto al cliente a través del llamado "sideband channel". Estos mensajes tendrán el prefijo "remote:" y se imprimirán directamente en la salida de error estándar. Normalmente, esta salida de error estándar está conectada a una terminal que entiende las secuencias de escape ANSI, contra las que Git no protegió. La mayoría de las terminales modernas admiten secuencias de control que pueden ser utilizadas por un actor malintencionado para ocultar y tergiversar información, o para engañar al usuario para que ejecute scripts no confiables. Como se solicitó en la lista de correo git-security, los parches se están discutiendo en la lista de correo pública. Se recomienda a los usuarios que actualicen lo antes posible. Los usuarios que no puedan actualizar deben evitar los clones recursivos a menos que sean de fuentes confiables.

15 Jan 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-15 18:15

Updated : 2025-12-18 16:00

NVD link : CVE-2024-52005

Mitre link : CVE-2024-52005

CVE.ORG link : CVE-2024-52005

JSON object : View

Products Affected

git

CWE

CWE-116

Improper Encoding or Escaping of Output

CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

8.8 /10