GitHub Desktop Vulnerability: Multiple Security Risks Disclosed

Author: Ravie Lakshmanan
Date: January 27, 2025

Tags: Vulnerability / Software Security

Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user’s Git credentials.

According to GitHub software engineer Taylor Blau, "Git implements a protocol called Git Credential…rability is related to CVE-2020-5260, but relies on behavior where single carriage return characters are interpreted by some credential helper implementations as newlines," said Taylor Blau in a post about CVE-2024-52006.

The latest version also patches CVE-2024-50349 (CVSS score: 2.1), which could be exploited by an adversary to craft URLs containing escape sequences to trick users into providing their credentials to arbitrary sites.

Recommendations:

• Users are advised to update to the latest version to protect against these vulnerabilities.
• If immediate patching is not an option, the risk associated with the flaws can be mitigated by avoiding running git clone with --recurse-submodules against untrusted repositories.
• It’s also recommended to not use the credential helper by only cloning publicly available repositories.

Stay Informed:

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.