Critical GitHub Desktop Flaw Exposes User Credentials Through Malicious URLs

Critical GitHub Desktop Flaw Exposes User Credentials Through Malicious URLs

Security Vulnerabilities Discovered in GitHub Desktop and Git Projects

Multiple security vulnerabilities have been uncovered in GitHub Desktop and related Git projects that could potentially expose users’ Git credentials to unauthorized access. Security researcher Ry0taK from GMO Flatt Security identified these vulnerabilities, collectively known as Clone2Leak.

Key Vulnerabilities Identified:

1. GitHub Desktop (CVE-2025-23040) – CVSS 6.6
– Credential leaks possible through maliciously crafted remote URLs

2. Git Credential Manager (CVE-2024-50338) – CVSS 7.4
– Carriage-return character exploitation in remote URLs

3. Git LFS (CVE-2024-53263) – CVSS 8.5
– Credential exposure through crafted HTTP URLs

4. GitHub CLI (CVE-2024-53858) – CVSS 6.5
– Authentication token leakage during recursive repository cloning

Technical Impact:
The vulnerabilities primarily exploit improper handling of the Git Credential Protocol, allowing attackers to redirect credentials to unauthorized hosts through carriage return smuggling and CRLF injection techniques.

Remediation:
– Git project has addressed these issues in version v2.48.1
– Additional fix for CVE-2024-52006 and CVE-2024-50349 implemented
– Users should update to the latest versions

Temporary Mitigation Strategies:
– Avoid using –recurse-submodules with untrusted repositories
– Limit credential helper usage to public repository cloning only
– Update affected software to latest versions

Share This Article