Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user’s Git credentials.
“Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper,” GMO Flatt Security researcher Ry0taK, who discovered the flaws, said in an analysis published Sunday. “Because of improper handling of messages, many projects were vulnerable to credential leakage in various ways.”
The list of identified vulnerabilities, dubbed Clone2Leak, is as follows –
- CVE-2025-23040 (CVSS score: 6.6) – Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop
- CVE-2024-50338 (CVSS score: 7.4) – Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager
- CVE-2024-53263 (CVSS score: 8.5) – Git LFS permits retrieval of credentials via crafted HTTP URLs
- CVE-2024-53858 (CVSS score: 6.5) – Recursive repository cloning in GitHub CLI can leak authentication tokens to non-GitHub…
