403 Forbidden when cloning public repo over HTTPS with Git 2.47.3

Summary

Cloning a public GitLab repo over HTTPS with Git 2.47.3 returns 403 Forbidden, apparently based on the user agent.

Steps to reproduce

Either:

  • with git version 2.4.73:

    git clone http://gitlab.com/surfliner/surfliner.git

Or:

  • with any version of git:

    GIT_HTTP_USER_AGENT='git/2.47.3' git clone http://gitlab.com/surfliner/surfliner.git

What is the current bug behavior?

  • Clone fails with

    fatal: unable to access 'http://gitlab.com/surfliner/surfliner.git/': The requested URL returned error: 403

What is the expected correct behavior?

  • Repository is cloned

Relevant logs and/or screenshots

With GIT_TRACE_PACKET=1 GIT_TRACE=2 GIT_CURL_VERBOSE=1:

11:07:39.485478 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Applications/Xcode.app/Contents/Developer/usr/bin/git
11:07:39.485958 exec-cmd.c:238          trace: resolved executable dir: /Applications/Xcode.app/Contents/Developer/usr/bin
11:07:39.486910 git.c:460               trace: built-in: git clone http://gitlab.com/surfliner/surfliner.git
Cloning into 'surfliner'...
11:07:39.495198 run-command.c:655       trace: run_command: git remote-http origin http://gitlab.com/surfliner/surfliner.git
11:07:39.498784 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Applications/Xcode.app/Contents/Developer/usr/libexec/git-core/git
11:07:39.499180 exec-cmd.c:238          trace: resolved executable dir: /Applications/Xcode.app/Contents/Developer/usr/libexec/git-core
11:07:39.499614 git.c:750               trace: exec: git-remote-http origin http://gitlab.com/surfliner/surfliner.git
11:07:39.499628 run-command.c:655       trace: run_command: git-remote-http origin http://gitlab.com/surfliner/surfliner.git
11:07:39.503410 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Applications/Xcode.app/Contents/Developer/usr/libexec/git-core/git-remote-http
11:07:39.503781 exec-cmd.c:238          trace: resolved executable dir: /Applications/Xcode.app/Contents/Developer/usr/libexec/git-core
11:07:39.507895 http.c:725              == Info: Couldn't find host gitlab.com in the .netrc file; using defaults
11:07:39.510657 http.c:725              == Info: Host gitlab.com:80 was resolved.
11:07:39.510662 http.c:725              == Info: IPv6: (none)
11:07:39.510664 http.c:725              == Info: IPv4: 172.65.251.78
11:07:39.510681 http.c:725              == Info:   Trying 172.65.251.78:80...
11:07:39.514306 http.c:725              == Info: Connected to gitlab.com (172.65.251.78) port 80
11:07:39.514354 http.c:672              => Send header, 0000000205 bytes (0x000000cd)
11:07:39.514358 http.c:684              => Send header: GET /surfliner/surfliner.git/info/refs?service=git-upload-pack HTTP/1.1
11:07:39.514360 http.c:684              => Send header: Host: gitlab.com
11:07:39.514361 http.c:684              => Send header: User-Agent: git/2.47.3
11:07:39.514363 http.c:684              => Send header: Accept: */*
11:07:39.514364 http.c:684              => Send header: Accept-Encoding: deflate, gzip
11:07:39.514366 http.c:684              => Send header: Pragma: no-cache
11:07:39.514368 http.c:684              => Send header: Git-Protocol: version=2
11:07:39.514369 http.c:684              => Send header:
11:07:39.514373 http.c:725              == Info: Request completely sent off
11:07:39.525428 http.c:672              <= Recv header, 0000000024 bytes (0x00000018)
11:07:39.525436 http.c:684              <= Recv header: HTTP/1.1 403 Forbidden
11:07:39.525442 http.c:672              <= Recv header, 0000000037 bytes (0x00000025)
11:07:39.525446 http.c:684              <= Recv header: Date: Wed, 25 Feb 2026 19:07:39 GMT
11:07:39.525452 http.c:672              <= Recv header, 0000000040 bytes (0x00000028)
11:07:39.525456 http.c:684              <= Recv header: Content-Type: text/html; charset=UTF-8
11:07:39.525462 http.c:672              <= Recv header, 0000000028 bytes (0x0000001c)
11:07:39.525466 http.c:684              <= Recv header: Transfer-Encoding: chunked
11:07:39.525471 http.c:672              <= Recv header, 0000000024 bytes (0x00000018)
11:07:39.525474 http.c:684              <= Recv header: Connection: keep-alive
11:07:39.525478 http.c:672              <= Recv header, 0000000029 bytes (0x0000001d)
11:07:39.525482 http.c:684              <= Recv header: X-Frame-Options: SAMEORIGIN
11:07:39.525486 http.c:672              <= Recv header, 0000000030 bytes (0x0000001e)
11:07:39.525489 http.c:684              <= Recv header: Referrer-Policy: same-origin
11:07:39.525493 http.c:672              <= Recv header, 0000000099 bytes (0x00000063)
11:07:39.525497 http.c:684              <= Recv header: Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
11:07:39.525499 http.c:672              <= Recv header, 0000000040 bytes (0x00000028)
11:07:39.525501 http.c:684              <= Recv header: Expires: Thu, 01 Jan 1970 00:00:01 GMT
11:07:39.525503 http.c:672              <= Recv header, 0000000267 bytes (0x0000010b)
11:07:39.525508 http.c:684              <= Recv header: Set-Cookie: __cf_bm=No0iHLQ6.bZPvXTsCUEemEU2Yuhe_KJCPBWUdpTSvXI-1772046459-1.0.1.1-_qS4iQaR_8LfzoZQTZPeKXMVtw1Fufj6tDlS32ez7Dyuwbe.jQI.x7LeKSRHo8m9Q5OaOnWLm2h7mEkMpttk2xz32xZBG_LiBvEZG_.tdGM; path=/; expires=Wed, 25-Feb-26 19:37:39 GMT; domain=.gitlab.com; HttpOnly
11:07:39.525512 http.c:672              <= Recv header, 0000000246 bytes (0x000000f6)
11:07:39.525514 http.c:684              <= Recv header: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3WZ%2Fw7XuVMIeloK7uF8JyzwLtgNqpJ3zS9mYjjs2YEPaBQB6LbtvYdbMZRgNFgU68CUgC7ILExHbHh9pnYyzSXRTexCAjAaGOjMo5UAXoHqi4EqmQL8cvSdv6fc%3D"}],"group":"cf-nel","max_age":604800}
11:07:39.525516 http.c:672              <= Recv header, 0000000070 bytes (0x00000046)
11:07:39.525518 http.c:684              <= Recv header: NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
11:07:39.525520 http.c:672              <= Recv header, 0000000023 bytes (0x00000017)
11:07:39.525521 http.c:684              <= Recv header: Vary: Accept-Encoding
11:07:39.525523 http.c:672              <= Recv header, 0000000033 bytes (0x00000021)
11:07:39.525525 http.c:684              <= Recv header: X-Content-Type-Options: nosniff
11:07:39.525527 http.c:672              <= Recv header, 0000000020 bytes (0x00000014)
11:07:39.525528 http.c:684              <= Recv header: Server: cloudflare
11:07:39.525530 http.c:672              <= Recv header, 0000000030 bytes (0x0000001e)
11:07:39.525532 http.c:684              <= Recv header: CF-RAY: 9d397ca3efb6f31f-SJC
11:07:39.525539 http.c:672              <= Recv header, 0000000024 bytes (0x00000018)
11:07:39.525541 http.c:684              <= Recv header: Content-Encoding: gzip
11:07:39.525542 http.c:672              <= Recv header, 0000000002 bytes (0x00000002)
11:07:39.525544 http.c:684              <= Recv header:
11:07:39.525578 http.c:725              == Info: Connection #0 to host gitlab.com left intact
fatal: unable to access 'http://gitlab.com/surfliner/surfliner.git/': The requested URL returned error: 403

Output of checks

This bug happens on GitLab.com

Workaround

Set $GIT_HTTP_USER_AGENT to some other value, e.g. git/2.39.5 (Apple Git-154)

Edited by 🤖 GitLab Bot 🤖