Login Sign Up

CVE-2023-25652

7.5 HIGH
Path Traversal

📋 TL;DR

CVE-2023-25652 is a path traversal vulnerability in Git's `git apply --reject` command that allows attackers to write partially controlled content to arbitrary files outside the working directory. This affects all Git users who apply patches from untrusted sources using the `--reject` flag. The vulnerability can lead to file corruption, data loss, or potential code execution depending on what files are overwritten.

💻 Affected Systems

Products:
  • Git
Versions: All versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1
Operating Systems: All operating systems running affected Git versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when using `git apply --reject` command with malicious patches. The `--reject` flag must be explicitly used.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

Git by Git Scm

View all CVEs affecting Git →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could overwrite critical system files (like configuration files, scripts, or binaries) leading to system compromise, data destruction, or remote code execution if the overwritten file is executed.

🟠

Likely Case

Attackers could corrupt project files, configuration files, or scripts in the parent directories of the working tree, causing data loss, service disruption, or privilege escalation if sensitive files are modified.

🟢

If Mitigated

With proper controls, the impact is limited to denial of service through file corruption in non-critical directories, with no privilege escalation or remote code execution.

🌐 Internet-Facing: MEDIUM - While Git itself isn't typically internet-facing, CI/CD pipelines, code review systems, or automated patch application services could be vulnerable if they process patches from external sources.
🏢 Internal Only: MEDIUM - Developers applying patches from internal but untrusted sources could be affected, potentially leading to lateral movement within development environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the victim to apply a specially crafted patch with the `--reject` flag. The vulnerability is well-documented with proof-of-concept examples in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1

Vendor Advisory: https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx

Restart Required: No

Instructions:

1. Check current Git version: `git --version`. 2. Update Git using your package manager: For Ubuntu/Debian: `sudo apt update && sudo apt upgrade git`. For RHEL/CentOS: `sudo yum update git`. For macOS: `brew upgrade git`. 3. Verify update: `git --version` should show patched version.

🔧 Temporary Workarounds

Avoid git apply --reject with untrusted patches

all

Do not use the --reject flag when applying patches from untrusted sources

# Instead of: git apply --reject patch.patch
# Use: git apply --stat patch.patch to inspect first, then apply without --reject if safe

Inspect patches before applying

all

Use git apply --stat to examine patch contents before applying

git apply --stat patch.patch
# Review output for suspicious paths or operations
# Only apply if patch looks safe

🧯 If You Can't Patch

  • Implement strict patch review processes: require manual review of all patches before application
  • Use sandboxed environments for patch application: apply patches in isolated containers or VMs with limited filesystem access

🔍 How to Verify

Check if Vulnerable:

Check Git version: if version is earlier than 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1, and you use `git apply --reject`, you are vulnerable.

Check Version:

git --version

Verify Fix Applied:

Run `git --version` and confirm version is 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1 or later.

📡 Detection & Monitoring

Log Indicators:

  • Failed patch applications with --reject flag
  • Unexpected file modifications outside working directory
  • Error messages about path traversal in git apply operations

Network Indicators:

  • Downloads of patch files from untrusted sources followed by git apply commands

SIEM Query:

Process execution logs showing 'git apply --reject' command followed by file modification events outside expected directories

📊 Metadata

CVE ID: CVE-2023-25652
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
Published: April 25, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25652, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)