• Cyber Syrup
  • Posts
  • GitHub Desktop and Git Projects Vulnerabilities Could Expose User Credentials

GitHub Desktop and Git Projects Vulnerabilities Could Expose User Credentials

Cybersecurity researchers have uncovered multiple security vulnerabilities affecting GitHub Desktop and other Git-related projects

January 28, 2025

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

GitHub Desktop and Git Projects Vulnerabilities Could Expose User Credentials

Overview of the Vulnerabilities

Cybersecurity researchers have uncovered multiple security vulnerabilities affecting GitHub Desktop and other Git-related projects. If successfully exploited, these flaws could allow an attacker to gain unauthorized access to a user’s Git credentials, potentially compromising sensitive repositories and systems.

The vulnerabilities, collectively referred to as Clone2Leak, stem from improper handling of Git Credential Protocol messages. This protocol is used to retrieve credentials from the credential helper, and due to weaknesses in how certain Git-related tools process these messages, credentials can be leaked in various ways.

List of Identified Vulnerabilities

The following vulnerabilities have been assigned CVE identifiers and CVSS scores, indicating their severity:

  • CVE-2025-23040 (CVSS score: 6.6) – Maliciously crafted remote URLs can lead to credential leaks in GitHub Desktop.

  • CVE-2024-50338 (CVSS score: 7.4) – A carriage-return character in remote URLs allows a malicious repository to leak credentials in Git Credential Manager.

  • CVE-2024-53263 (CVSS score: 8.5) – Git LFS (Large File Storage) permits retrieval of credentials via crafted HTTP URLs.

  • CVE-2024-53858 (CVSS score: 6.5) – Recursive repository cloning in GitHub CLI can leak authentication tokens to non-GitHub submodule hosts.

These vulnerabilities affect a range of Git tools and could enable attackers to steal authentication tokens, potentially giving them unauthorized access to repositories and related resources.

Technical Details and Exploitation

The Git Credential Helper is a mechanism that allows Git to securely store and retrieve user credentials. Normally, this helper returns credential data separated by a newline character (\n). However, researchers found that GitHub Desktop is vulnerable to carriage return (\r) smuggling. This flaw allows an attacker to craft a malicious URL that manipulates how credentials are processed, redirecting them to an attacker-controlled host.

GitHub acknowledged this issue, explaining that:

"Using a maliciously crafted URL, it is possible to cause the credential request from Git to be misinterpreted by GitHub Desktop. This results in sending credentials for a different host than the intended destination, leading to credential exfiltration."

Similarly, Git Credential Manager has a vulnerability where an attacker can introduce a carriage return character into a remote URL, causing the helper to send credentials to an unintended host.

Git LFS also fails to properly validate control characters, allowing attackers to inject carriage return line feed (CRLF) sequences into HTTP URLs, potentially exposing credentials to unauthorized parties.

Another serious issue impacts GitHub CLI, which allows authentication tokens to be sent to unintended hosts under specific conditions. If the CODESPACES environment variable is set to true, an attacker could manipulate GitHub Codespaces to exfiltrate access tokens by cloning a malicious repository.

Potential Impact of Exploitation

If successfully exploited, these vulnerabilities could:

  • Expose authentication tokens to unauthorized parties.

  • Allow attackers to access privileged repositories and modify code.

  • Compromise developer accounts, leading to software supply chain attacks.

With the rise of software supply chain attacks, these vulnerabilities present a significant risk, as attackers could infiltrate trusted repositories and distribute malicious code.

Remediation and Mitigation Measures

Patching and Fixes

The affected projects have responded by releasing patches to mitigate these vulnerabilities:

  • Git version 2.48.1 addresses CVE-2024-52006, a related credential leakage vulnerability caused by carriage return smuggling.

  • GitHub has updated GitHub Desktop and GitHub CLI to fix the identified flaws.

  • Git Credential Manager and Git LFS have been patched to handle maliciously crafted URLs more securely.

Security Best Practices

To reduce the risk of exploitation, users are strongly advised to update to the latest versions of all Git-related tools. If immediate patching is not feasible, consider the following mitigations:

  1. Avoid Cloning Untrusted Repositories – Do not run git clone --recurse-submodules against repositories from unknown or unverified sources.

  2. Disable Credential Helper for Untrusted Repositories – Limit the use of the credential helper to prevent unintended credential exposure.

  3. Manually Review Repository URLs – Before interacting with repositories, check for anomalies or unusual characters in URLs.

  4. Restrict GitHub CLI Token Usage – Configure GitHub CLI tokens to only allow access to specific trusted hosts.

Conclusion

The Clone2Leak vulnerabilities highlight critical security weaknesses in widely used Git-related tools. The improper handling of credentials and URLs within these tools can expose developers and organizations to serious security risks, particularly in the context of software supply chain security.

By updating to patched versions, implementing best practices, and maintaining vigilance when interacting with repositories, developers can protect their credentials and minimize the risk of exploitation. As attackers continue to target software development environments, organizations must prioritize supply chain security and proactively mitigate emerging threats.