• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Security
  • Multiple Git flaws led to credentials compromise

Multiple Git flaws led to credentials compromise

Pierluigi Paganini January 27, 2025

Vulnerabilities in the Git credential retrieval protocol could have allowed threat actors to access user credentials.

Security researcher RyotaK from GMO Flatt Security Inc discovered multiple vulnerabilities in the Git credential retrieval protocol that could have allowed threat actors to access user credentials.

The vulnerabilities stem from the improper handling of messages in Git’s credential retrieval protocol.

In October 2024, the researcher while hunting bugs for the GitHub Bug Bounty program shifted focus from GitHub Enterprise Server to GitHub Desktop. Upon reviewing its source code, he discovered a bug allowing malicious repositories to leak user credentials. Intrigued, the expert decided to analyze other Git-related projects, uncovering several additional vulnerabilities.

The Git Credential Protocol was used to retrieve credentials from helpers like git-credential-store and git-credential-osxkeychain, the researcher RyotaK discovered multiple flaws causing credential leakage.

Git retrieves credentials from helpers by exchanging structured messages separated by newline characters. To prevent property injection, Git blocks newline and NULL bytes in property names and values.

The researcher discovered that GitHub Desktop’s credential helper, “trampoline,” improperly handled the Git Credential Protocol due to differences in how line terminators (\n, \r, etc.) were processed. An attacker can use a crafted URL with carriage return (%0d) to manipulate how the credentials are parsed. This caused GitHub Desktop to associate credentials with the wrong host (e.g., github.com instead of localhost), leading to credential leaks.

This GitHub Desktop improper regular expression issue has been tracked as CVE-2025-23040.

The researcher also reported a Git LFS newline injection, tracked as CVE-2024-53263, that could lead to credential compromise.

The Git’s researchers addressed the vulnerabilities caused by carriage return smuggling, and tracked by the organization as CVE-2024-52006), by introducing a defense-in-depth measure by validating the credential protocol. A new credential.protectProtocol configuration, enabled by default, blocks URLs containing carriage return characters (\r). This patch mitigates potential credential leaks across all credential helpers, including Git LFS.

GitHub CLI was found to leak access tokens to arbitrary hosts (CVE-2024-53858) due to a logic flaw in its tokenForHost function. While not affected by carriage return smuggling, the IsEnterprise function incorrectly classified non-GitHub-owned hosts as enterprise hosts, allowing access tokens (e.g., GH_ENTERPRISE_TOKEN or GITHUB_TOKEN) to be sent to malicious hosts. The expert pointed out that the flaw is especially critical in GitHub Codespaces, where the CODESPACES environment variable is always set to true, enabling token leakage when cloning malicious repositories.

“As we saw, text-based protocols are often vulnerable to injection, and a small architecture flaw can lead to a big security issue.” reads the report published by the researcher. “I hope that this research helped the Git community to improve its security, and I am looking forward to seeing further research on Git-related projects.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, credential leakage)


facebook linkedin twitter

Clone2Leak information security news IT Information Security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 23, 2025
Microsoft linked attacks on SharePoint flaws to China-nexus actors
Read more
Pierluigi Paganini July 22, 2025
Cisco confirms active exploitation of ISE and ISE-PIC flaws
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT