CVE-2024-24575

CVE-2024-24575 is a high-severity vulnerability in Libgit2 with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-400.

Key facts

Description

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2.

Frequently asked questions

What is CVE-2024-24575?
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2.
How severe is CVE-2024-24575?
CVE-2024-24575 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2024-24575 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (70th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-24575?
CVE-2024-24575 affects Libgit2. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-24575?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2024-24575 have an EU (EUVD) identifier?
Yes. CVE-2024-24575 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-21980.
When was CVE-2024-24575 published?
CVE-2024-24575 was published on 2024-02-06 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Libgit2

All CVEs affecting Libgit2 →

Other CWE-400 (Uncontrolled Resource Consumption) vulnerabilities

Browse all CWE-400 (Uncontrolled Resource Consumption) vulnerabilities →