Security engineer uncovers multiple Git vulnerabilities

Groot and GitHub mascot Octocat reading a newspaper as a security engineer uncovers multiple critical Git vulnerabilities that exposed millions of software developers to credential theft.

About the Author

By | https://twitter.com/gadget_ry

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry), Bluesky (@gadgetry.bsky.social), and/or Mastodon (@gadgetry@techhub.social)

A security engineer has revealed a series of critical vulnerabilities in Git tools that exposed millions of developers to credential theft.

RyotaK, a security engineer at GMO Flatt Security Inc., was bug hunting for the GitHub Bug Bounty program in October 2024 when they discovered weaknesses in GitHub Desktop, Git Credential Manager, Git LFS, GitHub CLI, and GitHub Codespaces—all stemming from improper input validation and handling of text-based protocols.

Git Credential Protocol and its vulnerabilities

These vulnerabilities revolve around the Git Credential Protocol, which exchanges user credentials using a key-value format with newline delimiters (\n).

While Git generally prohibits newlines and NULL bytes to avoid injection attacks, improper handling of other line-ending characters like carriage returns (\r) introduced security loopholes.

The vulnerabilities:

  • GitHub Desktop (CVE-2025-23040) A cleverly crafted malicious submodule URL containing %0d (a hexadecimal carriage return) could bypass GitHub Desktop’s parsing logic, tricking it into exposing user credentials for github.com to attacker-controlled domains.
  • Git Credential Manager (CVE-2024-50338) Similar parsing flaws in .NET’s StreamReader allowed carriage return characters to smuggle data across lines, exposing users to potential credential theft.
  • Git LFS (CVE-2024-53263) Newline injection vulnerabilities allowed malicious repositories to modify configuration files and bypass Git’s safeguards, leaking sensitive credentials to attackers.
  • GitHub CLI (CVE-2024-53858) Logic flaws caused GitHub CLI to leak access tokens to attacker-controlled domains when leveraging certain environment variables like CODESPACES=true or GITHUB_ENTERPRISE_TOKEN.
  • GitHub Codespaces: Codespaces’ credential helper script (gitcredential_github.sh) indiscriminately returned sensitive tokens for all Git operations, regardless of the requested host.

In response, Git implemented a comprehensive defence mechanism (CVE-2024-52006), introducing the credential.protectProtocol configuration to block URLs containing carriage return characters (\r).

This option, enabled by default, closes vulnerabilities across Git and Git LFS. GitHub also updated Codespaces to validate host requests and limit credential sharing to github.com.

RyotaK’s findings highlight the persistent dangers of text-based protocols and inadequate validation. As the engineer noted, “A small architecture flaw can lead to a big security issue.”

Developers and platform maintainers are encouraged to adopt defence-in-depth strategies and test rigorously for input parsing vulnerabilities.

See also: Snyk: AI-powered vulnerability remediations and protecting shadow IT

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply