CVE-2022-24975 in Git (GitBleed)info

Summary

by MITRE • 02/11/2022

The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/06/2026

The CVE-2022-24975 vulnerability represents a significant information disclosure issue within Git version 2.35.1 and earlier, commonly referred to as the "GitBleed" vulnerability. This flaw stems from incomplete documentation regarding the --mirror option in Git's clone functionality, creating a security gap that affects how organizations conduct information disclosure auditing processes. The vulnerability specifically impacts systems where security audits rely on Git clone operations to assess repository contents, particularly when these operations omit the --mirror flag that would normally preserve deleted content. The documentation gap means that administrators and security professionals may unknowingly perform clone operations that fail to capture deleted files and commits, potentially masking sensitive information that was previously accessible in the repository history.

The technical implementation of this vulnerability involves Git's handling of repository mirroring and content retention during clone operations. When Git performs a standard clone without the --mirror option, it does not preserve all historical information including deleted content that might have contained sensitive data. However, the --mirror option enables the creation of a complete mirror of the repository including all references and deleted content, which is crucial for comprehensive auditing. The lack of documentation about this behavior creates confusion among users who may not realize that their standard clone operations could miss critical information, particularly deleted files that were part of the repository's history. This behavior aligns with CWE-200, which addresses information exposure, and represents a failure in proper access control and information flow management within the version control system.

The operational impact of CVE-2022-24975 extends beyond simple information disclosure to potentially compromise security auditing processes that rely on complete repository snapshots. Organizations conducting security assessments, compliance audits, or forensic investigations may inadvertently miss deleted content that contains sensitive information, intellectual property, or security-relevant data. This vulnerability particularly affects environments where audit trails must include all repository history, including deleted files that might contain credentials, private keys, or other confidential information. The issue creates a false sense of security when standard clone operations are used for security assessments, as these operations may not reveal the complete repository state. From an attacker's perspective, this vulnerability could enable information leakage through improperly configured backup or mirroring procedures, as deleted content might be inadvertently preserved in certain scenarios.

Organizations should implement immediate mitigations including updating to Git version 2.35.2 or later where this documentation gap has been addressed, and establishing proper training protocols for security teams regarding Git clone operations and the importance of using --mirror options for comprehensive auditing. System administrators should review existing backup and audit procedures to ensure that repository mirroring includes deleted content when security assessments are required. The vulnerability demonstrates the importance of comprehensive documentation in security-critical software components and highlights how incomplete information can create exploitable gaps in security processes. Security teams should also implement monitoring procedures to detect when standard clone operations are used in environments where --mirror functionality should be mandatory. This issue aligns with ATT&CK technique T1552.001, which covers credentials in files, as deleted content in repositories may contain sensitive information that should be properly managed during cloning operations.

Reservation

02/11/2022

Disclosure

02/11/2022

Moderation

accepted

CPE

ready

EPSS

0.02645

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!