This worrying Git flaw could lead to users leaking credentials

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)

  • Security researcher finds related attacks and dubbed them Clone2Leak
  • This allowed threat actors to leak credentials through Git's credential helper
  • Patches are already available, so update now

A number of flaws was recently found in distributed version control system Git’s credential helper which allowed malicious actors to exfiltrate login credentials from different projects. It was responsibly disclosed to the developers and shut down.

Git's credential helper is a feature that securely manages credentials (usernames and passwords, or personal access tokens) required to authenticate with remote repositories. It simplifies authentication by caching or storing credentials so users don't need to repeatedly enter them for every Git operation.

Recently, a cybersecurity researcher from the Japanese GMO Flatt Security outfit, alias RyotaK, found three separate, but related attacks, and dubbed them “Clone2Leak.” He explained that the flaws revolve around the improper handling of authentication messages sent to the credential helper. As a result, Git could end up sharing stored credentials to a malicious server.

Multiple flaws

GitHub Desktop, Git LFS, GitHub CLI/Codespaces, and the Git Credential Manager, were said to be vulnerable.

Clone2Leak comprises these three flaws: CVE-2025-23040, CVE-2024-50338, and CVE-2024-53263. The first two are described as “carriage return smuggling” flaws affecting GitHub Desktop and Git Credential Manager, while the third one is described as “newline injection” in Git LFS. The researcher also discovered a logic flaw in credential retrieval, tracked as CVE-2024-53858, affecting CitHub CLI and GitHub Codespaces.

Users are now urged to migrate to the safe releases to mitigate the risk of potential credential leakage.

All of the above-mentioned bugs have since been addressed, and users are now urged to update their tools, audit credential configurations, and be extra careful when cloning repositories. That being said, the versions they should go for include GitHub Desktop 3.4.12, Git Credential Manager 2.6.1, Git LFS 3.6.1, and gh cli 2.63.0.

Users should also enable Git’s ‘credential.protectProtocol’, it was said.

Via BleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Cyber-security
Top file-sharing tools are being hit by security attacks once again
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
Someone checking their credit card details online.
Apple forced to patch iOS and macOS security flaw that could have leaked your private info
hacker.jpeg
Thousands of GitHub repositories exposed via Microsoft Copilot
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection