GitHub Desktop and related Git projects have major security flaws that could allow attackers to steal Git credentials. A researcher discovered vulnerabilities that enable credential leakage through crafted URLs or commands, leading to unauthorized access.
The key flaws include:
1. CVE-2025-23040: Remote URLs crafted with malicious IPs can leak credentials in GitHub Desktop.
2. CVE-2024-50338: Carriage-return characters in remote URLs enable credential leakage in Git Credential Manager.
3. CVE-2024-53263: Crafted HTTP URLs with CRLF can retrieve credentials from Git LFS.
4. CVE-2024-53858: Recursive cloning on GitHub CLI can leak authentication tokens to unintended hosts.
While the issue arises because systems interpret “\r” as newlines, researchers advise updating to fix CVE-2024-52006 in GitHub Desktop (CVSS score: 2.1). Similarly, CVE-2024-50349 has been patched (CVSS score: 2.1), though it allows crafted URLs to trick users into sharing credentials with arbitrary sites.
To mitigate risks, patch versions v2.48.1 and wait for fixes in other projects. Users should avoid running git clone with –recurse-submodules on untrusted repos or use the credential helper only for public repos. Immediate patching is recommended if possible to safeguard against these vulnerabilities.
Source: https://thehackernews.com/2025/01/github-desktop-vulnerability-risks.html