Multiple Vulnerabilities in Git Could Lead to Credential Compromise

January 27, 2025

RyotaK, a security researcher from GMO Flatt Security Inc, uncovered several vulnerabilities in Git's credential retrieval protocol, which could have allowed threat actors to access user credentials. These flaws were discovered as a result of improper handling of messages within the protocol.

RyotaK stumbled upon these vulnerabilities while working on the GitHub Bug Bounty program. Initially, he was focused on the GitHub Enterprise Server, but later shifted his attention to GitHub Desktop. Upon reviewing its source code, he found a bug that allowed malicious repositories to leak user credentials. This discovery prompted him to further scrutinize other Git-related projects, leading to the unearthing of additional vulnerabilities.

The Git Credential Protocol, which retrieves credentials from helpers like git-credential-store and git-credential-osxkeychain, was found to have multiple flaws that could cause credential leakage. Git retrieves credentials from these helpers by exchanging structured messages separated by newline characters. However, to prevent property injection, Git blocks newline and NULL bytes in property names and values.

RyotaK discovered that GitHub Desktop's credential helper, known as 'trampoline', did not properly handle the Git Credential Protocol due to differences in how line terminators were processed. By using a specially crafted URL with a carriage return, an attacker could manipulate how the credentials were parsed. This resulted in GitHub Desktop associating credentials with the wrong host, leading to credential leaks. This issue was identified as CVE-2025-23040.

Another vulnerability, identified as CVE-2024-53263, was found in Git LFS, where a newline injection could lead to credential compromise. To address these vulnerabilities, Git introduced a defense-in-depth measure by validating the credential protocol. This measure, tracked as CVE-2024-52006, introduced a new credential.protectProtocol configuration that blocks URLs containing carriage return characters. This patch effectively mitigates potential credential leaks across all credential helpers, including Git LFS.

GitHub CLI was also found to leak access tokens to arbitrary hosts due to a logic flaw in its tokenForHost function. This flaw, tracked as CVE-2024-53858, allowed access tokens to be sent to malicious hosts. This flaw was particularly critical in GitHub Codespaces, where token leakage could occur when cloning malicious repositories.

As the researcher noted in his report, 'text-based protocols are often vulnerable to injection, and a small architecture flaw can lead to a big security issue.' He expressed his hope that his research would help improve security in the Git community and looked forward to further research on Git-related projects.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• Critical Security Flaw Identified in Meta's Llama Framework, Exposing AI Systems to Potential Remote Code Execution