Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Git Vulnerabilities Led to Credentials Exposure

Vulnerabilities in Git’s credential retrieval protocol could have allowed attackers to compromise user credentials.

Improper handling of messages in Git’s credential retrieval protocol could have allowed attackers to leak users’ credentials, security researcher RyotaK says.

Git retrieves login information stored in system-specific credential helpers using the credential protocol, which is text-based over standard input/output and relies on lines of key-value pairs.

Both Git and the credential helper parse the messages, which are separated by a newline character and certain protections are in place to prevent property injection.

RyotaK discovered that a feature in GitHub Desktop that automatically supplies credentials to a Git client contains a vulnerability that allows a malicious repository pointing to a crafted URL to leak the credential.

Tracked as CVE-2025-23040, the issue is a carriage return smuggling bug, and exists due to differences in how lines are separated in the Git credential protocol and in the specification of the regular expression in the ECMAScript.

Because of the difference, when the crafted URL is parsed, Git and GitHub Desktop recognize the host differently with the later returning the login information for the GitHub account instead of the client.

The security researcher, who named the attack Clone2Leak, discovered a similar security defect in Git Credential Manager, a cross-platform credential helper for Git, tracked as CVE-2024-50338. Both flaws result from the credential helper improperly handling the carriage return character, RyotaK notes.

While Git prevents newline injections, Git LFS, an extension for large file management that is spawned as the child process of Git, uses a function that allows the newline character, which can be abused to bypass Git’s protections. The vulnerability is tracked as CVE-2024-53263.

Advertisement. Scroll to continue reading.

To resolve the carriage return smuggling bugs, Git added a new validation to the credential protocol, which will reject URLs that contain the carriage return character. Git announced patches for the issue, tracked as CVE-2024-52006, on January 14.

“When using a credential helper, Git uses a line-based protocol to pass information between itself and the credential helper. A specially-crafted URL containing a carriage return can be used to inject unintended values into the protocol stream, causing the helper to retrieve the password for one server while sending it to another,” GitHub explains.

Git version 2.48.1 resolves the issue, also addressing CVE-2024-50349, a vulnerability that allows attackers to craft URLs containing ANSI escape sequences and construct misleading prompts that could trick users into providing credentials to the attackers.

“When Git needs to fill in credentials interactively without the use of a credential helper, it prints out the hostname and asks the user to fill in the appropriate username/password pair for that host. However, Git prints out the hostname after URL-decoding it,” GitHub notes.

While crediting RyotaK for reporting CVE-2024-50349 and CVE-2024-52006, GitHub announced that GitHub Desktop version 3.4.12 patches CVE-2025-23040, Git LFS version 3.6.1 fixes CVE-2024-53263, and Git Credential Manager version 2.6.1 patches CVE-2024-50338.

Previously, similar vulnerabilities were found in GitHub Codespaces and the GitHub CLI, one that leaked credentials when cloning a malicious repository on GitHub Codespaces using GitHub CLI, and another that leaked the GitHub token because Git failed to properly validate ‘host’ parameters.

Related: GitHub Patches Critical Vulnerability in Enterprise Server

Related: Ex-GitHub Engineers Raise $20M to Enhance Pen-Testing with AI-Powered XBOW

Related: Threat Actors Increasingly Using VBA Purging in Attacks

Related: Polymer Launches Solution to Avoid Data Leaks via Collaboration Tools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.