| CARVIEW |
Select Language
HTTP/2 200
date: Fri, 18 Jul 2025 23:01:38 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"303b29efed716174b4459a317cc0623d"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=fkq%2FT4rkNcEsadD22s%2Bd8LAuzzbfN6kS8WpR%2FAcDTqi4biNZ55zczfUashpHV4%2BLydARqC%2FF2XbIXYLObT6lS0rW0YXyC1GUcmEz4XcorN6L4mHv1YA1POIqXorE6OPd6qWzN8kRBQyn9LwW0NcLTIhWZJuZ7SvU7yoE2T5WYtWdCGnJYLuAdagligdUVZN60whjxKX7RePX7ogDytPcj9C5m98Fw8UXZRuZaOzSp2mKLYGWCo592HT9qwdK%2BR15acuFbDIb5cTn2BryQvBTbw%3D%3D--ANgieDvZQjI8Qn9k--y2h3lrmI8ils5fl2K56HVw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.91783781.1752879698; Path=/; Domain=github.com; Expires=Sat, 18 Jul 2026 23:01:38 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sat, 18 Jul 2026 23:01:38 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: DB38:1AA78F:1EFACC:29EFB3:687AD252
Denial of service attack in `git_revparse_single` · Advisory · libgit2/libgit2 · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Denial of service attack in `git_revparse_single`
Moderate
Package
libgit2
(C)
Affected versions
>= 1.4.0, < 1.6.5
>= 1.4.0, < 1.7.2
Patched versions
1.6.5
1.7.2
Description
Severity
Moderate
CVE ID
CVE-2024-24575
Weaknesses
No CWEs
You can’t perform that action at this time.
Impact
Using well-crafted inputs to
git_revparse_singlecan cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application.Detailed description
The revparse function in
src/libgit2/revparse.cuses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory.This can be abused to create an infinite loop in the revparse function. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. This issue was introduced in the commit add2dabb3c16aa49b33904dcdc07cd915efc12fa. As such, libgit2 versions before 1.4.0 are not affected. Some of the language-specific wrappers (such as e.g. Rugged for ruby) bundle old versions of libgit2 (i.e., < 1.4) and are not affected. pygit2 since version 1.9 and git2go since v34 are affected.
Patches
Users should upgrade to v1.6.5 or v1.7.2.