A cybersecurity researcher not too long ago disclosed a number of crucial vulnerabilities affecting Git-related initiatives, revealing how improper dealing with of credential protocols can result in delicate information leaks.
From GitHub Desktop to Git Credential Supervisor and Git LFS, these points have been uncovered throughout a routine bug-hunting session for the GitHub Bug Bounty program, ensuing within the task of a number of CVEs.
Improper Parsing in GitHub Desktop Permits Credential Leakage (CVE-2025-23040)
A flaw in GitHub Desktop’s dealing with of the Git Credential Protocol was recognized as a possible vector for credential publicity.
The problem stems from how the device’s credential helper, known as “trampoline,” parses person enter.
Throughout the parseCredential operate, an improper common expression implementation led to the mishandling of carriage return characters (r).
Since Git Credential Protocol primarily depends on newline characters (n) to delineate properties, the inclusion of carriage return characters permits “carriage return smuggling.”
This permits attackers internet hosting malicious repositories to craft URLs like http://%0dprotocol=httpspercent0dhost=github.compercent0d@localhost, tricking the system into misinterpreting github.com because the goal host.
Git Credential Supervisor Vulnerability through StreamReader Misuse (CVE-2024-50338)
One other crucial subject was recognized in Git Credential Supervisor, a cross-platform credential helper for Git constructed on .NET.
The vulnerability arises as a consequence of improper use of the StreamReader class, which processes enter utilizing a number of line terminators—n, r, and rn.
In consequence, attackers can craft malicious URLs containing carriage return characters to govern how credentials are dealt with.
When Git Credential Supervisor receives such manipulated enter, it could ship credentials meant for reputable hosts (e.g., github.com) to attacker-controlled endpoints, successfully exposing delicate person information.
The researcher additionally found a vulnerability in Git LFS (Massive File Storage). In contrast to Git itself which robustly validates credential values to stop newline injections Git LFS fails to sanitize enter.
In keeping with Flatt Safety, by embedding a newline character within the .lfsconfig file, attackers can bypass validation safeguards and manipulate credential protocols, probably leaking credentials.
For instance, a crafted URL in .lfsconfig might set off Git LFS to ship the next malformed message to a credential helper:
protocol=http
host=localhost
username=
host=github.com
protocol=httpsIn such instances, the credential helper would interpret the final host and protocol fields as authoritative, inadvertently exposing github.com credentials to an unauthorized host.
Separate vulnerabilities have been present in GitHub CLI and Codespaces. In GitHub CLI, defective logic within the tokenForHost operate induced tokens to be despatched to unauthorized hosts beneath particular situations.
The problem primarily affected enterprise environments and GitHub Codespaces, the place the CODESPACES surroundings variable is universally set to true.
A malicious repository cloned on Codespaces might exploit this to exfiltrate entry tokens.
Equally, a fundamental credential helper script in Codespaces uncovered tokens as a result of it did not validate the requested host.
Subsequent patches launched area validation to make sure credentials are solely despatched to trusted endpoints.
These vulnerabilities spotlight how even minor architectural oversights in text-based protocols can result in extreme safety breaches.
Credential leakage, significantly in broadly used instruments like GitHub Desktop, Git Credential Supervisor, and Git LFS, underscores the significance of rigorous enter validation and adherence to safe coding practices.
Whereas patches have been deployed to deal with these points, the findings function a cautionary story for the broader open-source neighborhood.
Are you from SOC/DFIR Groups? – Analyse Malware Information & Hyperlinks with ANY.RUN Sandox -> Attempt for Free