Multiple safety vulnerabilities have been disclosed on the GitHub desktop, as well as in other GIT -related projects that, if successfully used, may allow an attacker to gain unauthorized access to the user’s credentials.
‘Git implements a protocol called the Git Account Protocol for receipt of credentials from Fuel Assistant“GMO Flatt Ry0tak security researcher, which discovered the shortcomings, – Note in an analysis published on Sunday. “Many projects were vulnerable to the accounting of the account in different ways.”
The list of identified vulnerabilities is as follows –
- Cve-2025-23040 (CVSS Assessment: 6.6) – Arranged Remote URLs can lead to leaks in GitHub desktops
- Cve-2024-50338 (CVSS assessment: 7.4) – The nature of the return of the transport in the remote URL allows the malicious repository
- Cve-2024-53263 (CVSS Assessment: 8.5) – Git LFS Allow Powers Through Created URL HTTP
- Cve-2024-53858 (CVSS assessment: 6.5) -Recurious cloning storage in GitHub CLI can be traced by authentication to no -hit
At the time new line Control character (“\ n”), study showed that the desktop github is sensitive to the return case of transportation (“\ r”) smuggling, causing the introduction of a character into the created URL can be traced attackers.
“Using an angrily designed URL, you can lead to improper interpretation of the credentials coming from Git in Advisory.
Similar weakness was also found in the Nuget Manager Git package, which allows the powers to be exposed to the unrelated host. The Git LFS has been found also not checking the presence of built -in control characters, which led to the line feeding line (CRLF) using the developed HTTP URL.
On the other hand, a vulnerability affecting GitHub CLI uses the fact that the access marker is set up to send hosts other than GitHub (.) COM and GHE (.) As long as the gitBub_enterprise_TOKEN, GH_DERPRISE_TOKEN, and GITHUB_TOKEN Codespaces are installed in the “true” in case of the latter.
“While both variables associated with the enterprise are not common, the Codespaces variable environment is always established in the truth when working on GitHub Codespaces,” Ry0tak said. “Thus, cloning malicious repository on GitHub Codespaces using GitHub CLI will always trace the accessories to the attacker.”
Successful operation of the above deficiencies can lead to malicious third party using authentication tokens to access privileged resources.
In response to the disclosure of the information, an account leak that follows from the smuggling with the return of transportation was considered by the GIT project as an autonomous vulnerability (Cve-2024-52006CVSS’s assessment: 2.1) and addressed to Version V2.48.1.
“This vulnerability is related to the CVE-2020-5260, but relies on behavior where the characters’ return characters are interpreted by some implementation as new lines,”-Github software engineer Taylor Blau – Note In a report of the CVE-2024-52006.
The last version is also a patches Cve-2024-50349 (CVSS assessment: 2.1), which can be used by an enemy for craft containing shoot sequences to cheat users to provide their credentials to arbitrary sites.
Users are advised to update the latest version to protect against these vulnerabilities. If immediate correction is not an option, the risk-related risk can be softened, avoiding the Git clone launch due to the deposit deposit. It is also recommended not to use an account assistant, only cloning public meetings.
