Several security vulnerabilities have been revealed in GitHub Desktop and other Git-related projects that, if exploited, could enable an attacker to access a user’s Git credentials without authorization.
“Git employs a protocol called the Git Credential Protocol to obtain credentials from the credential helper,” explained GMO Flatt Security researcher Ry0taK, who discovered the vulnerabilities, in an analysis published on Sunday. “Improper handling of messages made many projects vulnerable to credential leakage in various ways.”
The list of identified vulnerabilities, dubbed Clone2Leak, is as follows –
- CVE-2025-23040 (CVSS score: 6.6) – Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop
- CVE-2024-50338 (CVSS score: 7.4) – Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager
- CVE-2024-53263 (CVSS score: 8.5) – Git LFS permits retrieval of credentials via crafted HTTP URLs
- CVE-2024-53858 (CVSS score: 6.5) – Recursive repository cloning in GitHub CLI can leak authentication tokens to non-GitHub submodule hosts
The credential helper is intended to return a message with credentials separated by the newline character (“\n”). However, research has revealed that GitHub Desktop is vulnerable to a case of carriage return (“\r”) smuggling. By injecting this character into a specially crafted URL, an attacker can potentially leak credentials to a host they control.
According to GitHub’s advisory, “Using a maliciously crafted URL, it’s possible to mislead the credential request from Git to GitHub Desktop, causing it to send credentials for a different host than the one Git is currently communicating with, which allows for secret exfiltration.”
A similar vulnerability has been found in the Git Credential Manager NuGet package, which can expose credentials to an unrelated host. Additionally, Git LFS has been shown not to check for embedded control characters, making it susceptible to carriage return line feed (CRLF) injection through crafted HTTP URLs.
In another case, the vulnerability affecting GitHub CLI exploits the fact that access tokens can be sent to hosts other than github[.]com and ghe[.]com, provided that the environment variables GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN, and GITHUB_TOKEN are set, along with CODESPACES being set to “true” for the latter.
Ry0taK noted, “While the enterprise-related variables are not commonly used, the CODESPACES environment variable is always true when running on GitHub Codespaces. Therefore, cloning a malicious repository on GitHub Codespaces using GitHub CLI will inevitably leak the access token to the attacker’s hosts.”
If these vulnerabilities are successfully exploited, a malicious third party could use the leaked authentication tokens to gain access to privileged resources.
The Git project has classified the credential leakage caused by carriage return smuggling as a distinct vulnerability (CVE-2024-52006, CVSS score: 2.1) and has addressed it in version v2.48.1.
According to GitHub software engineer Taylor Blau, “This vulnerability is related to CVE-2020-5260, but it depends on how some credential helper implementations interpret single carriage return characters as newlines,” as he explained in a post regarding CVE-2024-52006.
The latest update also resolves CVE-2024-50349 (CVSS score: 2.1), which could allow an attacker to create URLs with escape sequences that deceive users into entering their credentials on unauthorized sites.
Users are encouraged to upgrade to the latest version to safeguard against these vulnerabilities. If immediate updates are not feasible, the risks can be reduced by refraining from using git clone with –recurse-submodules on untrusted repositories. Additionally, it is advisable to avoid using the credential helper and only clone publicly accessible repositories.
