Multiple Vulnerabilities Discovered in GitHub Desktop and Related Projects
Recently, a series of critical security vulnerabilities have been uncovered in GitHub Desktop and various Git-related projects, potentially allowing unauthorized access to users’ Git credentials. These vulnerabilities, collectively referred to as “Clone2Leak,” pose significant risks to developers and organizations relying on these tools.
The flaws were identified by Ry0taK, a security researcher from GMO Flatt, who explained that the vulnerabilities stem from improper message handling in Git’s credential retrieval process. This mechanism uses the Git Credential Protocol to fetch user credentials from designated credential helpers. Unfortunately, several projects within the Git ecosystem failed to adequately secure this process, leading to potential credential leakage.
Among the vulnerabilities identified are CVE-2025-23040, which permits attackers to exploit specially crafted remote URLs to extract credentials from GitHub Desktop; CVE-2024-50338, where a carriage-return character in a remote URL could cause a credential leak in the Git Credential Manager; and CVE-2024-53263, which exposes Git LFS to credential retrieval via malicious HTTP URLs. Additionally, CVE-2024-53858 shows that recursive repository cloning within GitHub CLI can accidentally expose authentication tokens to unauthorized hosts.
A noteworthy aspect of these vulnerabilities lies in how GitHub Desktop mishandles carriage return (“\r”) characters. This character may inadvertently allow credentials intended for one host to be sent to another, enabling attackers to exfiltrate sensitive data. For instance, GitHub noted that a crafted URL could distort Git’s credential requests, leading to unintentional credential sharing that could fall into malicious hands.
The ramifications of these vulnerabilities are not limited to GitHub Desktop alone; the Git Credential Manager and Git LFS also were found lacking in safeguards against such attacks. The Git Credential Manager’s implementation does not sufficiently check for embedded control characters, raising the risk of CRLF injection attacks. On the other hand, GitHub CLI’s access token configurations make it vulnerable when cloning malicious repositories, especially when operating in GitHub Codespaces, which has its environment variables automatically set to allow broader access.
Exploiting these vulnerabilities could enable malicious third parties to gain unauthorized access to sensitive resources, heightening the urgency for users to take protective measures.
In response to these disclosures, the Git project classified the carriage-return smuggling issue as a distinct vulnerability (CVE-2024-52006) and addressed it in version 2.48.1. The latest release also resolves CVE-2024-50349, which could allow adversaries to use escape sequences in crafted URLs to mislead users into revealing their credentials.
To safeguard against these threats, users are urged to upgrade to the latest versions of affected software. Businesses unable to apply patches immediately should limit the use of sensitive commands, such as git clone --recurse-submodules, particularly with untrusted repositories. Furthermore, avoiding reliance on credential helpers by restricting cloning to publicly accessible repositories can help mitigate risk.
These incidents highlight the importance of rigorous software security practices, especially for businesses involved in software development and collaboration. Understanding the potential tactics and techniques highlighted by the MITRE ATT&CK framework—particularly those related to credential access and exploitation—can provide critical insights into defending against future threats. Cybersecurity vigilance remains a paramount concern as tools like Git and GitHub play a vital role in today’s technology landscape.
