Facilitating the spread of knowledge and innovation in professional software development



Choose your language

InfoQ Homepage News New Git Submodule Vulnerability Patched

New Git Submodule Vulnerability Patched

This item in japanese


The Git community has disclosed a security vulnerability affecting the clone and submodule commands that could enable remote code execution when vulnerable machines access malicious repositories. The vulnerability, which has been assigned CVE–2018–17456 by Mitre, has been fixed in Git 2.19.1.

To trigger the vulnerability, a malicious repository could forge a .gitmodules containing an URL starting with a dash. This would affect both git clone --recurse-submodules and git submodule update --recursive in that they would recursively pass the URL starting with a dash to a git clone or git submodule subprocess that would interpret the URL as a command option. This could lead to executing an arbitrary command on the local machine. This vulnerability is similar to CVE–2017–1000117, which also enabled an option-injection attack by forging ssh URLs starting with a dash that would be interpreted as an option by the ssh subprocess executed by git. No exploits are known at the moment.

We were also able to use the time to scan all repositories on GitHub for evidence of the attack being used in the wild. We’re happy to report that no instances were found (and now, with our detection, none can be added).

As shown in the PR fixing the vulnerability, submitted by @joernchen, the fix is quite trivial in itself. Yet, this discovery provided the opportunity for an overall audit of .gitmodules, which led to implementing stricter checks on both paths and URLs found inside of it.

As mentioned, the fix for this vulnerability is included in Git 2.19.1. Additionally, it has been backported to versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, and 2.18.1. Since git is integrated in GitHub projects such as GitHub Desktop and Atom, those have been patched as well, so you will be better off upgrading them as soon as possible.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p


Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.