CVE-2021-21300

HIGH

Git 2.14.2-2.30.0 - Remote Code Execution via Symbolic Link and Clean/Smudge Filter Interaction

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 16 public exploits for CVE-2021-21300. PoCs published by X1cT34m, Maskhe, the-chivalrousZ, including Metasploit module exploits/multi/http/git_lfs_clone_command_exec.

AI-analyzed exploit summary This exploit leverages a Git vulnerability (CVE-2021-21300) where a malicious repository can execute arbitrary code via a symlink attack on Git hooks during clone operations. The PoC creates a repository with a symlink to `.git/hooks` and a malicious `post-checkout` hook to demonstrate code execution.

Description

Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.

Exploits (16)

github WORKING POC 4 stars
by X1cT34m · cpoc
https://github.com/X1cT34m/CVE-and-PoC/tree/main/2021/CVE-2021-21300

This exploit leverages a Git vulnerability (CVE-2021-21300) where a malicious repository can execute arbitrary code via a symlink attack on Git hooks during clone operations. The PoC creates a repository with a symlink to `.git/hooks` and a malicious `post-checkout` hook to demonstrate code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions before 2.30.1)
No auth needed
Prerequisites: ability to host a malicious Git repository · victim must clone the repository
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by Maskhe · poc
https://github.com/Maskhe/CVE-2021-21300

The repository lacks any functional exploit code and only contains a vague README instructing users to clone it, with a promise of printing 'PWNED' and a reference to an external source. This is characteristic of a social engineering lure.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unspecified
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by Sizvy · poc
https://github.com/Sizvy/CVE-2021-21300

Technical analysis of CVE-2021-21300, detailing how arbitrary code execution is achieved via malicious Git hooks on case-insensitive filesystems by exploiting symbolic links.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions 2.14.2 to 2.30.1)
No auth needed
Prerequisites: Case-insensitive filesystem (Windows/macOS) · Symbolic link support · Global Git LFS filters enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by henry861010 · poc
https://github.com/henry861010/Network_Security_NYCU

This script exploits CVE-2021-21300 by creating a malicious Git repository with a symbolic link to .git/hooks, allowing arbitrary command execution during Git operations. The post-checkout hook is abused to execute unauthorized commands.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions before 2.30.1)
No auth needed
Prerequisites: Git installed on the target system · Ability to push to a Git repository
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by danshuizhangyu · poc
https://github.com/danshuizhangyu/CVE-2021-21300

The repository contains only a README.md file with the CVE identifier and no additional technical details or exploit code. It lacks any meaningful content to classify it as a working PoC, scanner, or writeup.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by fengzhouc · poc
https://github.com/fengzhouc/CVE-2021-21300

This repository contains a functional exploit for CVE-2021-21300, a Git vulnerability where symbolic link handling in case-insensitive filesystems (e.g., Windows) can lead to remote command execution. The PoC demonstrates how a malicious repository with a symbolic link pointing to `.git/hooks` can execute arbitrary commands during clone operations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git versions 2.15 to 2.30.1
No auth needed
Prerequisites: A case-insensitive filesystem (e.g., Windows) · Victim must clone the malicious repository with `core.symlinks=true`
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Faisal78123 · poc
https://github.com/Faisal78123/CVE-2021-21300

The exploit leverages a Git vulnerability (CVE-2021-21300) by crafting a malicious repository with a symbolic link to `.git/hooks` and a malicious `post-checkout` hook. When cloned, the hook executes arbitrary code (echoing 'PWNED').

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions before 2.30.1)
No auth needed
Prerequisites: Ability to host a malicious Git repository · Victim clones the repository
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by 1uanWu · poc
https://github.com/1uanWu/CVE-2021-21300

The repository contains only a README.md file with the CVE identifier and no additional technical details or exploit code. It is a placeholder with minimal content.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by erranfenech · poc
https://github.com/erranfenech/CVE-2021-21300

This repository contains a functional exploit for CVE-2021-21300, a Git vulnerability involving malicious hooks during clone operations. The exploit leverages symbolic link manipulation to execute arbitrary code via a crafted Git repository.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions before 2.30.1)
No auth needed
Prerequisites: Git installed on the target system · Ability to trick a user into cloning a malicious repository
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Johannes Schindelin, Matheus Tavares, Shelby Pace · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/git_lfs_clone_command_exec.rb

This Metasploit module exploits CVE-2021-21300, a vulnerability in Git clients on case-insensitive file systems. It leverages Git LFS and symbolic links to place a malicious Git hook in the `.git/hooks` directory, achieving remote code execution during repository checkout.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git clients (MacOS, Windows) with Git LFS and case-insensitive file systems
No auth needed
Prerequisites: Target must clone a malicious repository · Case-insensitive file system · Git LFS support enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Exploit, Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2021/03/09/3
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2021/Apr/60
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202104-01
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html

Scores

CVSS v3 8.0
EPSS 0.5828
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-59
Status published
Products (8)
apple/xcode < 12.5
debian/debian_linux 10.0
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
git-scm/git 2.27.0
git-scm/git 2.28.0
git-scm/git < 2.14.2
Published Mar 09, 2021
Tracked Since Feb 18, 2026