| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 17 Jul 2025 11:55:01 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"adb526deb1e1e56eaaad3e737c43c695"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=yYtwKt4fAHB0tDmIMjyp2Wfjv2R3kqO%2FYT%2FFKFLsKAGo37VNtnKsqJfXl9xABs2vCk%2F8dRTVyZkzLrr761XrqfwCLvKvp5SfPk%2Fi2tgxLdm60ep3bqo%2Frvdr5wufVT8mZhfY5THnWBPvN1jIZQJww%2ByQhQ8uqb16etMaR1%2BD9sQpfmnlxiEbQxxPB6flm0KZ1Gw%2BrJCNxMmy8dNk45yStZgst%2B7lymws0YG7Zyc4Duk2%2B6jZ5ogVsjnsHWsBi9GxeS4PohHKsdYMIbHGl9rLGw%3D%3D--1RulWqAmvWOhcCxq--peJUDtSqMDtvdxzHa0GzZg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1695161532.1752753301; Path=/; Domain=github.com; Expires=Fri, 17 Jul 2026 11:55:01 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 17 Jul 2026 11:55:01 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: CDEA:E7B3F:1D6912:20A7B6:6878E495
Arbitrary code execution due to heap corruption in `git_index_add` · Advisory · libgit2/libgit2 · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Arbitrary code execution due to heap corruption in `git_index_add`
High
Package
libgit2
(C)
Affected versions
< 1.6.5
< 1.7.2
Patched versions
1.6.5
1.7.2
Description
Severity
High
CVE ID
CVE-2024-24577
Weaknesses
No CWEs
You can’t perform that action at this time.
Impact
Using well-crafted inputs to
git_index_addcan cause heap corruption that could be leveraged for arbitrary code execution.Detailed description
There is an issue in the
has_dir_namefunction insrc/libgit2/index.c, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution.To trigger the problem, the bad actor must be able to trigger two consecutive calls to
git_index_addwith a filename that starts with a/character. To control the heap corruption, the bad actor must be able to control thectimefield of the git_index_entry data structure.Patches
Users should upgrade to v1.6.5 or v1.7.2.
Workarounds
Prevent paths beginning with
/from being provided togit_index_add.