VYPR
← All advisories
Critical severityNVD Advisory· Published Apr 17, 2024· Updated Aug 1, 2024

HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches

CVE-2024-3817

Description

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.

This vulnerability does not affect the go-getter/v2 branch and package.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HashiCorp's go-getter library before 1.7.4 is vulnerable to argument injection when using Git to discover remote branches, allowing attackers to inject arbitrary Git arguments via a crafted URL.

Vulnerability

CVE-2024-3817 is an argument injection vulnerability in HashiCorp's go-getter library (versions 1.5.9 to 1.7.3). The flaw occurs when go-getter executes Git commands to discover remote branches of a repository. Specifically, user-provided Git URLs are not properly sanitized before being passed as arguments to the Git binary, enabling an attacker to inject additional Git arguments [2][3].

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted Git URL to an application that uses the go-getter library. No authentication is required; the attacker only needs to control the URL input. The injection occurs during the git ls-remote or git clone operations, where extra arguments appended by the attacker are executed by Git [3][4].

Impact

Successful exploitation could allow an attacker to inject arbitrary Git arguments, potentially leading to code execution, information disclosure, or other unintended behaviors, depending on the context in which go-getter is used. The impact is particularly significant in environments like Terraform or Nomad, where go-getter is used to download modules or binaries [3].

Mitigation

The vulnerability is fixed in go-getter version 1.7.4. The fix ensures that user-provided strings are properly escaped by using a -- separator before the URL in Git commands, preventing argument injection [4]. Users are advised to upgrade to 1.7.4 or later. The go-getter/v2 branch is not affected [3].

References
  1. NVD - CVE-2024-3817
  2. HCSEC-2024-09 - HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches
  3. escape user provide string to git (#483) · hashicorp/go-getter@268c11c

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/hashicorp/go-getterGo
>= 1.5.9, < 1.7.41.7.4

Affected products

38

Patches

1
268c11cae8cf

escape user provide string to git (#483)

https://github.com/hashicorp/go-getterMark CollaoApr 15, 2024via ghsa
commit
2 files changed · +32 2
  • get_git.go+2 2 modified
    @@ -200,7 +200,7 @@ func (g *GitGetter) clone(ctx context.Context, dst, sshKeyFile string, u *url.UR
 		args = append(args, "--depth", strconv.Itoa(depth))
 		args = append(args, "--branch", ref)
 	}
-	args = append(args, u.String(), dst)
+	args = append(args, "--", u.String(), dst)
 
 	cmd := exec.CommandContext(ctx, "git", args...)
 	setupGitEnv(cmd, sshKeyFile)
@@ -289,7 +289,7 @@ func findDefaultBranch(ctx context.Context, dst string) string {
 // default branch. "master" is returned if no HEAD symref exists.
 func findRemoteDefaultBranch(ctx context.Context, u *url.URL) string {
 	var stdoutbuf bytes.Buffer
-	cmd := exec.CommandContext(ctx, "git", "ls-remote", "--symref", u.String(), "HEAD")
+	cmd := exec.CommandContext(ctx, "git", "ls-remote", "--symref", "--", u.String(), "HEAD")
 	cmd.Stdout = &stdoutbuf
 	err := cmd.Run()
 	matches := lsRemoteSymRefRegexp.FindStringSubmatch(stdoutbuf.String())
  • get_git_test.go+30 0 modified
    @@ -836,6 +836,36 @@ func TestGitGetter_subdirectory(t *testing.T) {
 	}
 }
 
+func TestGitGetter_BadRemoteUrl(t *testing.T) {
+
+	if !testHasGit {
+		t.Log("git not found, skipping")
+		t.Skip()
+	}
+
+	g := new(GitGetter)
+	dst := tempDir(t)
+
+	// try an option that exists
+	badUrl := "--no-refs"
+
+	u, err := url.Parse(badUrl)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = g.Get(dst, u)
+	if err == nil {
+		t.Fatalf("get succeeded; want error")
+	}
+
+	got := err.Error()
+	want := `repository '--no-refs' does not exist`
+	if !strings.Contains(got, want) {
+		t.Fatalf("wrong error\ngot:  %s\nwant: %q", got, want)
+	}
+}
+
 // gitRepo is a helper struct which controls a single temp git repo.
 type gitRepo struct {
 	t   *testing.T

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.