This worrying Git flaw could lead to users leaking credentials

News
By
published

Git's credential helper did not properly handle authentication messages

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Security researcher finds related attacks and dubbed them Clone2Leak
  • This allowed threat actors to leak credentials through Git's credential helper
  • Patches are already available, so update now

A number of flaws was recently found in distributed version control system Git’s credential helper which allowed malicious actors to exfiltrate login credentials from different projects. It was responsibly disclosed to the developers and shut down.

Git's credential helper is a feature that securely manages credentials (usernames and passwords, or personal access tokens) required to authenticate with remote repositories. It simplifies authentication by caching or storing credentials so users don't need to repeatedly enter them for every Git operation.

Recently, a cybersecurity researcher from the Japanese GMO Flatt Security outfit, alias RyotaK, found three separate, but related attacks, and dubbed them “Clone2Leak.” He explained that the flaws revolve around the improper handling of authentication messages sent to the credential helper. As a result, Git could end up sharing stored credentials to a malicious server.

Multiple flaws

GitHub Desktop, Git LFS, GitHub CLI/Codespaces, and the Git Credential Manager, were said to be vulnerable.

Clone2Leak comprises these three flaws: CVE-2025-23040, CVE-2024-50338, and CVE-2024-53263. The first two are described as “carriage return smuggling” flaws affecting GitHub Desktop and Git Credential Manager, while the third one is described as “newline injection” in Git LFS. The researcher also discovered a logic flaw in credential retrieval, tracked as CVE-2024-53858, affecting CitHub CLI and GitHub Codespaces.

Users are now urged to migrate to the safe releases to mitigate the risk of potential credential leakage.

All of the above-mentioned bugs have since been addressed, and users are now urged to update their tools, audit credential configurations, and be extra careful when cloning repositories. That being said, the versions they should go for include GitHub Desktop 3.4.12, Git Credential Manager 2.6.1, Git LFS 3.6.1, and gh cli 2.63.0.

Users should also enable Git’s ‘credential.protectProtocol’, it was said.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Ransomware

8base ransomware site taken down in global police operation
A person holding a credit card in one hand while typing on a laptop keyboard with the other.

Google system abused by hackers to hijack ecommerce stores
A person using a laptop on a table.

Microsoft warns hackers have a new and devious way of distributing malware
See more latest