GitHub Desktop Vulnerability: Credential Leaks via Malicious Remote URLs

Several security vulnerabilities in GitHub Desktop and other Git-related tools have been disclosed, exposing users to potential credential leaks. Exploiting these flaws could allow attackers to gain unauthorized access to sensitive Git credentials, posing a severe risk to software security.

Key Vulnerabilities

Security researcher Ry0taK from GMO Flatt Security discovered flaws caused by improper handling of Git Credential Protocol messages. These vulnerabilities allow attackers to manipulate credential requests using maliciously crafted URLs.

Detailed List of CVEs:

1. CVE-2025-23040 (CVSS: 6.6)

   • Exploits maliciously crafted remote URLs in GitHub Desktop to leak credentials.

2. CVE-2024-50338 (CVSS: 7.4)

   • Carriage-return character in remote URLs enables repositories to exfiltrate credentials through Git Credential Manager.

3. CVE-2024-53263 (CVSS: 8.5)

   • Git LFS (Large File Storage) permits attackers to retrieve credentials via specially crafted HTTP URLs.

4. CVE-2024-53858 (CVSS: 6.5)

   • Recursive repository cloning in GitHub CLI leaks authentication tokens to non-GitHub submodule hosts.

Exploitation Details

• Carriage Return Smuggling:
  Malicious actors can embed carriage return characters (\r) in remote URLs to manipulate GitHub Desktop's credential requests, causing credentials to be sent to an unauthorized host.

• Credential Manager Weakness:
  The Git Credential Manager NuGet package is vulnerable to exposing credentials to unrelated hosts via improperly validated URLs.

• CRLF Injection in Git LFS:
  Git LFS fails to sanitize control characters in URLs, leading to credential leaks through CRLF injection.

• GitHub CLI Token Exposure:
  GitHub CLI mishandles tokens set by environment variables such as GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN, and GITHUB_TOKEN. When combined with Codespaces (CODESPACES=true), these tokens can be leaked during malicious repository cloning.

Real-World Impact

If successfully exploited, these vulnerabilities allow attackers to exfiltrate authentication tokens and access privileged resources, significantly compromising security.

Mitigation Steps

Git has released updates to address the issues, including a fix for CVE-2024-52006 (CVSS: 2.1), which resolves the carriage return smuggling vulnerability.

Recommended Actions:

1. Upgrade Immediately:

   • Update to Git version v2.48.1 or later.
   • Ensure GitHub Desktop, CLI, and Git LFS are on their latest versions.

2. Avoid Cloning Untrusted Repositories:

   • Do not use git clone --recurse-submodules on repositories from unverified sources.

3. Disable Credential Helpers:

   • Avoid using credential helpers when cloning non-public repositories.

4. Implement Patch Management:

   • Regularly monitor and apply patches for Git-related tools.

Conclusion

These vulnerabilities highlight the importance of secure Git practices and prompt patching. Developers and organizations must stay vigilant and prioritize cybersecurity measures to prevent unauthorized access to sensitive credentials.