CVE-2018-17456

CRITICAL

Malicious Git HTTP Server For CVE-2018-17456

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2018-17456. PoCs published by joernchen, Junio C Hamano, AnonymKing, including Metasploit module exploits/multi/http/git_submodule_url_exec.

AI-analyzed exploit summary The writeup explains CVE-2018-17456, a Git RCE vulnerability where a malicious `.gitmodules` file can inject arbitrary commands via the `url` field. The exploit leverages a colon in the path to bypass checks and execute a payload script via the `upload-pack` flag.

Description

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.

Exploits (9)

exploitdb WRITEUP
by joernchen · locallinux
https://www.exploit-db.com/exploits/45631

The writeup explains CVE-2018-17456, a Git RCE vulnerability where a malicious `.gitmodules` file can inject arbitrary commands via the `url` field. The exploit leverages a colon in the path to bypass checks and execute a payload script via the `upload-pack` flag.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions prior to fix)
No auth needed
Prerequisites: Victim must clone a malicious repository containing the crafted `.gitmodules` file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by Junio C Hamano · textlocallinux
https://www.exploit-db.com/exploits/45548

This is a writeup describing CVE-2018-17456, a vulnerability in Git where a malicious .gitmodules file can lead to arbitrary code execution during a 'git clone --recurse-submodules' operation. The exploit involves crafting a URL field starting with a dash to manipulate the 'git clone' subprocess.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git versions before 2.17.2, 2.18.1, and 2.19.1
No auth needed
Prerequisites: Ability to craft a malicious .gitmodules file in a Git repository · Victim must run 'git clone --recurse-submodules' on the repository
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by AnonymKing · poc
https://github.com/AnonymKing/CVE-2018-17456

This PoC demonstrates CVE-2018-17456, an input validation error in Git that allows arbitrary command execution during recursive submodule cloning. The exploit constructs a malicious repository with a crafted `.gitmodules` file to trigger command injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git versions before 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1
No auth needed
Prerequisites: Git client with vulnerable version · Ability to host a malicious repository · Victim performs `git clone --recursive`
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by KKkai0315 · poc
https://github.com/KKkai0315/CVE-2018-17456

This PoC exploits CVE-2018-17456, a vulnerability in Git submodules that allows arbitrary command execution during recursive clone operations. The script constructs a malicious repository with a crafted `.gitmodules` file to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions before 2.19.2, 2.18.1, 2.17.2)
No auth needed
Prerequisites: Git installed on the target system · Ability to convince victim to clone the malicious repository recursively
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by jiahuiLeee · poc
https://github.com/jiahuiLeee/test

The repository contains only a README.md file with minimal content, stating it is a reproduction of CVE-2018-17456 but providing no code or technical details.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by 799600966 · poc
https://github.com/799600966/CVE-2018-17456

The repository contains only README files with minimal content ('test'), providing no functional exploit code or technical details for CVE-2018-17456.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by matlink · poc
https://github.com/matlink/CVE-2018-17456

This Dockerfile sets up a test environment for CVE-2018-17456, a Git submodule vulnerability allowing arbitrary command execution via crafted .gitmodules entries. The PoC demonstrates command injection by executing a payload during submodule operations.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions before 2.19.2, 2.18.1, 2.17.2, etc.)
No auth needed
Prerequisites: Git repository with submodules · Ability to modify .gitmodules
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by shpik-kr · poc
https://github.com/shpik-kr/CVE-2018-17456

The repository contains only a README.md file with minimal information about CVE-2018-17456, lacking any exploit code or technical details. It appears to be a placeholder or stub for a potential proof-of-concept.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/git_submodule_url_exec.rb

This Metasploit module exploits CVE-2018-17456 by creating a malicious Git repository with a submodule URL starting with a dash, which triggers command execution when cloned with --recurse-submodules. The exploit delivers a reverse shell payload via a crafted .gitmodules file.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, 2.19.1 and lower
No auth needed
Prerequisites: Victim must clone the malicious repository with --recurse-submodules · Network access to the malicious Git server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45631/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105523
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041811
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4311
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3505
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45548/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3541
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3408
Third Party Advisory x_refsource_misc
https://marc.info/?l=git&m=153875888916397&w=2
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2018/10/06/3
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3791-1/
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Mar/30
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107511
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0316

Scores

CVSS v3 9.8
EPSS 0.9736
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-88
Status published
Products (19)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
debian/debian_linux 9.0
git-scm/git 2.14.0 - 2.14.5
redhat/ansible_tower 3.3
redhat/enterprise_linux 6.0
redhat/enterprise_linux 6.7
redhat/enterprise_linux 7.0
redhat/enterprise_linux 7.3
... and 9 more
Published Oct 06, 2018
Tracked Since Feb 18, 2026