CVE-2014-9390
Description
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Git clients on case-insensitive filesystems (Windows, OS X) could be tricked into executing arbitrary commands via a malicious .git/config file in a cloned repository.
Root
Cause This vulnerability affects Git versions before 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, 2.2.1, and many other Git-compatible tools including Mercurial, Xcode, libgit2, Egit, and JGit when running on case-insensitive file systems (Windows NTFS/FAT, OS X HFS+). The core issue is that these clients fail to properly validate paths within a Git tree. By crafting a tree containing a file that, on a case-insensitive filesystem, maps to .git/config (e.g., using Unicode homoglyphs, the 8.3 short filename git~1/config, or mixed case like .GIT/config), an attacker can cause the client to overwrite the local repository's configuration file during clone or checkout operations [1][3].
Exploitation
Exploitation requires an attacker to host a malicious Git repository or convince a victim to clone/checkout from such a repository. No authentication is needed beyond access to the remote repo. The vulnerability triggers automatically when the client processes the malicious tree on a case-insensitive filesystem. The attack does not require user interaction beyond the normal clone or checkout command [2][3].
Impact
An attacker who successfully overwrites .git/config can inject arbitrary Git configuration directives, such as setting core.gitproxy or core.sshCommand, to execute arbitrary commands on the victim's machine. This results in full remote code execution in the context of the user running the Git client. The attack is particularly severe because it can compromise developer workstations, potentially leading to credential theft or supply-chain attacks [3][4].
Mitigation
The vulnerability is patched in Git versions 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, 2.2.1, and later. GitHub blocked malicious trees from being pushed to its servers. Apple addressed the issue in Xcode 6.2 beta 3 [4]. Users should update all Git clients immediately and avoid cloning from untrusted repositories on affected operating systems. Linux systems on case-sensitive filesystems are not vulnerable [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jgit:org.eclipse.jgitMaven | < 3.5.3 | 3.5.3 |
mercurialPyPI | < 3.2.3 | 3.2.3 |
Affected products
4- Git/Gitdescription
- ghsa-coords3 versionspkg:maven/org.eclipse.jgit/org.eclipse.jgitpkg:pypi/mercurialpkg:rpm/opensuse/git&distro=openSUSE%20Tumbleweed
< 3.5.3+ 2 more
- (no CPE)range: < 3.5.3
- (no CPE)range: < 3.2.3
- (no CPE)range: < 2.11.0-1.1
Patches
1928429c5c96atree: Check for `.git` with case insensitivy
1 file changed · +1 −1
src/tree.c+1 −1 modified@@ -55,7 +55,7 @@ static int valid_entry_name(const char *filename) (*filename != '.' || (strcmp(filename, ".") != 0 && strcmp(filename, "..") != 0 && - strcmp(filename, DOT_GIT) != 0)); + strcasecmp(filename, DOT_GIT) != 0)); } static int entry_sort_cmp(const void *a, const void *b)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-6vvc-c2m3-cjf3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-9390ghsaADVISORY
- article.gmane.org/gmane.linux.kernel/1853266ghsax_refsource_MISCWEB
- git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.htmlghsax_refsource_MISCWEB
- mercurial.selenic.com/wiki/WhatsNewghsax_refsource_MISCWEB
- securitytracker.com/idghsax_refsource_MISCWEB
- support.apple.com/kb/HT204147ghsax_refsource_MISCWEB
- github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2020-217.yamlghsaWEB
- libgit2.org/securityghsaWEB
- libgit2.org/security/mitrex_refsource_MISC
- news.ycombinator.com/itemghsax_refsource_MISCWEB
- projects.eclipse.org/projects/technology.jgit/releases/3.5.3ghsaWEB
- web.archive.org/web/20211204220400/https://securitytracker.com/idghsaWEB
News mentions
0No linked articles in our index yet.