CVE-2024-24577: CWE-122: Heap-based Buffer Overflow in libgit2 libgit2
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.
AI Analysis
Technical Summary
CVE-2024-24577 is a high-severity heap-based buffer overflow vulnerability in libgit2, a widely used portable C library that implements Git core methods with a linkable API. The vulnerability arises from a flaw in the has_dir_name function within src/libgit2/index.c, where an entry is prematurely freed and subsequently used, leading to use-after-free conditions. Specifically, when the git_index_add function processes crafted inputs, it triggers heap corruption by overwriting freed memory with attacker-controlled data. This heap corruption can be exploited to achieve arbitrary code execution in the context of the application embedding libgit2. The vulnerability affects libgit2 versions prior to 1.6.5 and versions from 1.7.0 up to but not including 1.7.2, with patches released in versions 1.6.5 and 1.7.2. The CVSS v3.1 score is 8.6 (high), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and low availability impact (A:L). While no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant risk, especially for applications that integrate libgit2 for Git operations and handle untrusted input data.
Potential Impact
European organizations that develop or deploy software relying on libgit2 are at risk of remote arbitrary code execution attacks if they process untrusted Git data or repositories. This can lead to unauthorized access, data exfiltration, or disruption of services. Since libgit2 is embedded in various developer tools, CI/CD pipelines, and version control integrations, exploitation could compromise software supply chains or developer workstations. The high confidentiality impact indicates potential leakage of sensitive source code or intellectual property. The vulnerability's network accessibility and lack of required privileges increase the attack surface, potentially affecting cloud-based development environments and on-premises infrastructure alike. Organizations in Europe with critical software development operations, especially those in finance, technology, and government sectors, could face operational disruptions and reputational damage if exploited.
Mitigation Recommendations
European organizations should immediately audit their software stacks to identify usage of libgit2, particularly versions older than 1.6.5 or between 1.7.0 and 1.7.2. Upgrading to patched versions 1.6.5 or 1.7.2 is the primary mitigation step. For applications where immediate upgrade is not feasible, implementing input validation and sanitization on Git data before passing it to libgit2 can reduce risk. Employ runtime protections such as heap integrity checks, memory corruption detection tools (e.g., AddressSanitizer), and exploit mitigation technologies like Control Flow Integrity (CFI) and Data Execution Prevention (DEP). Restrict network exposure of services that utilize libgit2 to trusted users and environments. Incorporate monitoring for anomalous behaviors indicative of exploitation attempts, such as unexpected process crashes or memory errors. Finally, integrate vulnerability scanning into CI/CD pipelines to detect outdated libgit2 versions proactively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland
CVE-2024-24577: CWE-122: Heap-based Buffer Overflow in libgit2 libgit2
Description
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.
AI-Powered Analysis
Technical Analysis
CVE-2024-24577 is a high-severity heap-based buffer overflow vulnerability in libgit2, a widely used portable C library that implements Git core methods with a linkable API. The vulnerability arises from a flaw in the has_dir_name function within src/libgit2/index.c, where an entry is prematurely freed and subsequently used, leading to use-after-free conditions. Specifically, when the git_index_add function processes crafted inputs, it triggers heap corruption by overwriting freed memory with attacker-controlled data. This heap corruption can be exploited to achieve arbitrary code execution in the context of the application embedding libgit2. The vulnerability affects libgit2 versions prior to 1.6.5 and versions from 1.7.0 up to but not including 1.7.2, with patches released in versions 1.6.5 and 1.7.2. The CVSS v3.1 score is 8.6 (high), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and low availability impact (A:L). While no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant risk, especially for applications that integrate libgit2 for Git operations and handle untrusted input data.
Potential Impact
European organizations that develop or deploy software relying on libgit2 are at risk of remote arbitrary code execution attacks if they process untrusted Git data or repositories. This can lead to unauthorized access, data exfiltration, or disruption of services. Since libgit2 is embedded in various developer tools, CI/CD pipelines, and version control integrations, exploitation could compromise software supply chains or developer workstations. The high confidentiality impact indicates potential leakage of sensitive source code or intellectual property. The vulnerability's network accessibility and lack of required privileges increase the attack surface, potentially affecting cloud-based development environments and on-premises infrastructure alike. Organizations in Europe with critical software development operations, especially those in finance, technology, and government sectors, could face operational disruptions and reputational damage if exploited.
Mitigation Recommendations
European organizations should immediately audit their software stacks to identify usage of libgit2, particularly versions older than 1.6.5 or between 1.7.0 and 1.7.2. Upgrading to patched versions 1.6.5 or 1.7.2 is the primary mitigation step. For applications where immediate upgrade is not feasible, implementing input validation and sanitization on Git data before passing it to libgit2 can reduce risk. Employ runtime protections such as heap integrity checks, memory corruption detection tools (e.g., AddressSanitizer), and exploit mitigation technologies like Control Flow Integrity (CFI) and Data Execution Prevention (DEP). Restrict network exposure of services that utilize libgit2 to trusted users and environments. Incorporate monitoring for anomalous behaviors indicative of exploitation attempts, such as unexpected process crashes or memory errors. Finally, integrate vulnerability scanning into CI/CD pipelines to detect outdated libgit2 versions proactively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2024-01-25T15:09:40.211Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec37c
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 6:57:18 PM
Last updated: 8/7/2025, 12:58:18 PM
Views: 10
Related Threats
CVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57700: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.