Security Engineer Discovers Multiple Git Vulnerabilities: Risks & Fixes

Critical Git Vulnerabilities Exposed: Millions of Developers at Risk

A security engineer has uncovered multiple vulnerabilities in Git tools that exposed developers to credential theft. These flaws affected popular tools such as GitHub Desktop, Git Credential Manager, Git LFS, GitHub CLI, and GitHub Codespaces, all stemming from improper input validation.

RyotaK, a security researcher at GMO Flatt Security Inc., discovered these vulnerabilities in October 2024 while participating in the GitHub Bug Bounty program. The findings highlight how improper handling of text-based protocols can introduce major security risks.

🔍 Understanding the Git Credential Protocol Vulnerabilities

These security flaws revolve around the Git Credential Protocol, which exchanges user credentials in a key-value format using newline delimiters (\n).

While Git generally blocks newlines and NULL bytes to prevent injection attacks, the improper handling of carriage return characters (\r) created security loopholes. These vulnerabilities affected multiple Git tools:

📌 GitHub Desktop (CVE-2025-23040)

• A malicious submodule URL containing %0d (a hexadecimal carriage return) could bypass GitHub Desktop’s parsing logic.
• This tricked the tool into exposing user credentials for github.com to attacker-controlled domains.

📌 Git Credential Manager (CVE-2024-50338)

• Parsing flaws in .NET’s StreamReader allowed carriage return characters to bypass security mechanisms.
• This made users vulnerable to credential theft through improperly processed authentication data.

📌 Git LFS (CVE-2024-53263)

• Newline injection vulnerabilities enabled malicious repositories to manipulate configuration files.
• Attackers could bypass Git safeguards and steal sensitive credentials.

📌 GitHub CLI (CVE-2024-53858)

• Logic flaws caused GitHub CLI to leak access tokens to attacker-controlled domains.
• Exploits leveraged certain environment variables like CODESPACES=true and GITHUB_ENTERPRISE_TOKEN.

📌 GitHub Codespaces

• The gitcredential_github.sh script in Codespaces indiscriminately returned sensitive tokens for all Git operations.
• This resulted in unauthorized access to private repositories and authentication tokens.

🛡️ How Git Responded to These Threats

In response to these vulnerabilities, Git implemented a comprehensive defense mechanism: credential.protectProtocol (CVE-2024-52006).

🔹 Key Security Fixes:

• 🚨 Git now blocks URLs containing carriage return characters (\r).
• 🔍 GitHub updated Codespaces to validate host requests before sharing credentials.
• 🔑 Git LFS enhancements now prevent configuration modifications by malicious repositories.

📌 Lessons for Developers & Security Teams

RyotaK’s findings serve as a stark reminder of the dangers posed by text-based protocols and inadequate validation. As the researcher noted:

“A small architecture flaw can lead to a big security issue.”

To mitigate risks, developers and platform maintainers should adopt a defense-in-depth strategy that includes:

• ✔️ Implementing strict input validation to prevent injection attacks.
• ✔️ Conducting regular security audits on authentication mechanisms.
• ✔️ Applying security patches and updates immediately.

📝 Final Thoughts

The exposure of these Git vulnerabilities underscores the ongoing challenges in securing developer tools. By strengthening security practices and remaining vigilant, the developer community can better protect against emerging threats and safeguard critical credentials.