{"id":89409,"date":"2025-07-08T10:02:11","date_gmt":"2025-07-08T17:02:11","guid":{"rendered":"https:\/\/github.blog\/?p=89409"},"modified":"2025-07-28T16:11:05","modified_gmt":"2025-07-28T23:11:05","slug":"git-security-vulnerabilities-announced-6","status":"publish","type":"post","link":"https:\/\/github.blog\/open-source\/git\/git-security-vulnerabilities-announced-6\/","title":{"rendered":"Git security vulnerabilities announced"},"content":{"rendered":"\n

Today, the Git project released new versions<\/a> to address seven security vulnerabilities that affect all prior versions of Git.<\/p>\n\n\n\n

Vulnerabilities in Git<\/h2>\n\n\n\n

CVE-2025-48384<\/h3>\n\n\n\n

When reading a configuration<\/a> value, Git will strip any trailing carriage return (CR) and line feed (LF) characters. When writing a configuration value, however, Git does not quote trailing CR characters, causing them to be lost when they are read later on. When initializing a submodule<\/a> whose path contains a trailing CR character, the stripped path is used, causing the submodule to be checked out in the wrong place.<\/p>\n\n\n\n

If a symlink<\/a> already exists between the stripped path and the submodule’s hooks<\/a> directory, an attacker can execute arbitrary code through the submodule’s post-checkout<\/code> hook.<\/p>\n\n\n\n

[source<\/a>]<\/p>\n\n\n\n

CVE-2025-48385<\/h3>\n\n\n\n

When cloning a repository, Git can optionally fetch a bundle<\/a>, allowing the server to offload a portion of the clone to a CDN<\/a>. The Git client does not properly validate the advertised bundle(s), allowing the remote side to perform protocol injection. When a specially crafted bundle is advertised, the remote end can cause the client to write the bundle to an arbitrary location, which may lead to code execution similar to the previous CVE.<\/p>\n\n\n\n

[source<\/a>]<\/p>\n\n\n\n

CVE-2025-48386 (Windows only)<\/h3>\n\n\n\n

When cloning from an authenticated remote, Git uses a credential helper<\/a> in order to authenticate the request. Git includes a handful of credential helpers<\/a>, including Wincred<\/a>, which uses the Windows Credential Manager<\/a> to store its credentials.<\/p>\n\n\n\n

Wincred uses the contents of a static buffer as a unique key to store and retrieve credentials. However, it does not properly bounds check the remaining space in the buffer, leading to potential buffer overflows.<\/p>\n\n\n\n

[source<\/a>]<\/p>\n\n\n\n

Vulnerabilities in Git GUI and Gitk<\/h1>\n\n\n\n

This release resolves four new CVEs related to Gitk<\/a> and Git GUI<\/a>. Both tools are Tcl\/Tk<\/a>-based graphical interfaces used to interact with Git repositories. Gitk is focused on showing a repository’s history, whereas Git GUI focuses on making changes to existing repositories.<\/p>\n\n\n\n

CVE-2025-27613 (Gitk)<\/h3>\n\n\n\n

When running Gitk in a specially crafted repository without additional command-line arguments, Gitk can write and truncate arbitrary writable files. The “Support per-file encoding” option must be enabled; however, the operation of “Show origin of this line” is affected regardless.<\/p>\n\n\n\n

[source<\/a>]<\/p>\n\n\n\n

CVE-2025-27614 (Gitk)<\/h3>\n\n\n\n

If a user is tricked into running gitk filename<\/code> (where filename<\/code> has a particular structure), they may run arbitrary scripts supplied by the attacker, leading to arbitrary code execution.<\/p>\n\n\n\n

[source<\/a>]<\/p>\n\n\n\n

CVE-2025-46334 (Git GUI, Windows only)<\/h3>\n\n\n\n

If a malicious repository includes an executable sh.exe<\/code>, or common textconv<\/a> programs (for e.g.,  astextplain<\/code>, exif<\/code>, or ps2ascii<\/code>), path lookup on Windows may locate these executables in the working tree. If a user running Git GUI in such a repository selects either the “Git Bash” or “Browse Files” from the menu, these programs may be invoked, leading to arbitrary code execution.<\/p>\n\n\n\n

[source<\/a>]<\/p>\n\n\n\n

CVE-2025-46835 (Git GUI)<\/h3>\n\n\n\n

When a user is tricked into editing a file in a specially named directory in an untrusted repository, Git GUI can create and overwrite arbitrary writable files, similar to CVE-2025-27613.<\/p>\n\n\n\n

[source<\/a>]<\/p>\n\n\n\n

Upgrade to the latest Git version<\/h2>\n\n\n\n

The most effective way to protect against these vulnerabilities is to upgrade to Git 2.50.1, the newest release containing fixes for the aforementioned vulnerabilities. If you can’t upgrade immediately, you can reduce your risk by doing the following:<\/p>\n\n\n\n