Summary: A vulnerability in Git’s credential retrieval protocol could lead to credential leakage due to improper handling of messages. The flaw, tracked as CVE-2025-23040, stems from the GitHub Desktop’s feature that automatically supplies credentials from crafted URLs. Subsequent patches have been released to address these vulnerabilities across multiple affected platforms.
Affected: Git, GitHub Desktop, Git Credential Manager, Git LFS
Keypoints :
- Security researcher RyotaK identified multiple vulnerabilities in Git’s credential retrieval mechanisms.
- The vulnerabilities arise from improper handling of the carriage return character, leading to credential leakage.
- Git has implemented patches for the flaws, rejecting URLs with carriage return characters to mitigate the risks.
- Previous instances of similar vulnerabilities have been reported in GitHub Codespaces and GitHub CLI.
Source: https://www.securityweek.com/git-vulnerabilities-led-to-credentials-exposure/