GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs - Related to patch, edition, urls, github, 2025.

GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs

Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user's Git credentials.

"Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper," GMO Flatt Security researcher Ry0taK, who discovered the flaws, expressed in an analysis . "Because of improper handling of messages, many projects were vulnerable to credential leakage in various ways."

The list of identified vulnerabilities, dubbed Clone2Leak, is as follows -.

CVE-2025-23040 (CVSS score: [website] - Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop.

(CVSS score: [website] - Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop CVE-2024-50338 (CVSS score: [website] - Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager.

(CVSS score: [website] - Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager CVE-2024-53263 (CVSS score: [website] - Git LFS permits retrieval of credentials via crafted HTTP URLs.

(CVSS score: [website] - Git LFS permits retrieval of credentials via crafted HTTP URLs CVE-2024-53858 (CVSS score: [website] - Recursive repository cloning in GitHub CLI can leak authentication tokens to non-GitHub submodule hosts.

While the credential helper is designed to return a message containing the credentials that are separated by the newline control character ("

"), the research found that GitHub Desktop is susceptible to a case of carriage return ("\r") smuggling whereby injecting the character into a crafted URL can leak the credentials to an attacker-controlled host.

"Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration," GitHub mentioned in an advisory.

A similar weakness has also been identified in the Git Credential Manager NuGet package, allowing for credentials to be exposed to an unrelated host. Git LFS, likewise, has been found not to check for any embedded control characters, resulting in a carriage return line feed (CRLF) injection via crafted HTTP URLs.

On the other hand, the vulnerability impacting GitHub CLI takes advantage of the fact that the access token is configured to be sent to hosts other than github[.]com and ghe[.]com as long as the environment variables GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN, and GITHUB_TOKEN are set, and CODESPACES is set to "true" in the case of the latter.

"While both enterprise-related variables are not common, the CODESPACES environment variable is always set to true when running on GitHub Codespaces," Ry0taK stated. "So, cloning a malicious repository on GitHub Codespaces using GitHub CLI will always leak the access token to the attacker's hosts."

Successful exploitation of the aforementioned flaws could lead to a malicious third-party using the leaked authentication tokens to access privileged resources.

In response to the disclosures, the credential leakage stemming from carriage return smuggling has been treated by the Git project as a standalone vulnerability (CVE-2024-52006, CVSS score: [website] and addressed in version [website].

"This vulnerability is related to CVE-2020-5260, but relies on behavior where single carriage return characters are interpreted by some credential helper implementations as newlines," GitHub software engineer Taylor Blau stated in a post about CVE-2024-52006.

The latest version also patches CVE-2024-50349 (CVSS score: [website], which could be exploited by an adversary to craft URLs containing escape sequences to trick customers into providing their credentials to arbitrary sites.

individuals are advised to modification to the latest version to protect against these vulnerabilities. If immediate patching is not an option, the risk associated with the flaws can be mitigated by avoiding running git clone with --recurse-submodules against untrusted repositories. It's also recommended to not use the credential helper by only cloning publicly available repositories.

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Cont...

As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving real...

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulner...

Microsoft Patch Tuesday, February 2025 Edition

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

All supported Windows operating systems will receive an upgrade this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418. This patch should be a priority for enterprises, as Microsoft says it is being exploited, has low attack complexity, and no requirements for user interaction.

Tenable senior staff research engineer Satnam Narang noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).

“CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,” Narang mentioned. “At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”.

The other zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Windows Storage that could be used to delete files on a targeted system. Microsoft’s advisory on this bug references something called “CWE-59: Improper Link Resolution Before File Access,” says no user interaction is required, and that the attack complexity is low.

Adam Barnett, lead software engineer at Rapid7, unveiled although the advisory provides scant detail, and even offers some vague reassurance that ‘an attacker would only be able to delete targeted files on a system,’ it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service.

“As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,”Barnett wrote.

One vulnerability patched today that was publicly disclosed earlier is CVE-2025-21377, another weakness that could allow an attacker to elevate their privileges on a vulnerable Windows system. Specifically, this is yet another Windows flaw that can be used to steal NTLMv2 hashes — essentially allowing an attacker to authenticate as the targeted user without having to log in.

, minimal user interaction with a malicious file is needed to exploit CVE-2025-21377, including selecting, inspecting or “performing an action other than opening or executing the file.”.

“This trademark linguistic ducking and weaving may be Microsoft’s way of saying ‘if we told you any more, we’d give the game away,'” Barnett stated. “Accordingly, Microsoft assesses exploitation as more likely.”.

The SANS Internet Storm Center has a handy list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on [website], which often has the scoop on any patches causing problems.

[website] writes that existing Office 365 individuals who are paying an annual cloud license do have the option of “Microsoft 365 Classic,” an AI-free subscription at a lower price, but that many consumers are not offered the option until they attempt to cancel their existing Office subscription.

In other security patch news, Apple has shipped iOS [website], which fixes a zero day vulnerability (CVE-2025-24200) that is showing up in attacks.

Adobe has issued security updates that fix a total of 45 vulnerabilities across InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements.

Chris Goettl at Ivanti notes that Google Chrome is shipping an modification today which will trigger updates for Chromium based browsers including Microsoft Edge, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it mentioned has come under a......

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation du......

Microsoft: Happy 2025. Here’s 161 Security Updates

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the firm has shipped in one go since 2017.

Rapid7‘s Adam Barnett says January marks the fourth consecutive month where Microsoft has -day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.

The Microsoft flaws already seeing active attacks include CVE-2025-21333, CVE-2025-21334 and, you guessed it– CVE-2025-21335. These are sequential because all reside in Windows Hyper-V, a component that is heavily embedded in modern Windows 11 operating systems and used for security elements including device guard and credential guard.

Tenable’s Satnam Narang says little is known about the in-the-wild exploitation of these flaws, apart from the fact that they are all “privilege escalation” vulnerabilities. Narang mentioned we tend to see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it’s not always initial access to a system that’s a challenge for attackers as they have various avenues in their pursuit.

“As elevation of privilege bugs, they’re being used as part of post-compromise activity, where an attacker has already accessed a target system,” he noted. “It’s kind of like if an attacker is able to enter a secure building, they’re unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, they’re able to trick the system into believing they should have clearance.”.

Several bugs addressed today earned CVSS (threat rating) scores of [website] out of a possible 10, including CVE-2025-21298, a weakness in Windows that could allow attackers to run arbitrary code by getting a target to open a malicious .rtf file, documents typically opened on Office applications like Microsoft Word. Microsoft has rated this flaw “exploitation more likely.”.

Ben Hopkins at Immersive Labs called attention to the CVE-2025-21311, a [website] “critical” bug in Windows NTLMv1 (NT LAN Manager version 1), an older Microsoft authentication protocol that is still used by many organizations.

“What makes this vulnerability so impactful is the fact that it is remotely exploitable, so attackers can reach the compromised machine(s) over the internet, and the attacker does not need significant knowledge or skills to achieve repeatable success with the same payload across any vulnerable component,” Hopkins wrote.

Kev Breen at Immersive points to an interesting flaw (CVE-2025-21210) that Microsoft fixed in its full disk encryption suite Bitlocker that the software giant has dubbed “exploitation more likely.” Specifically, this bug holds out the possibility that in some situations the hibernation image created when one closes the laptop lid on an open Windows session may not be fully encrypted and could be recovered in plain text.

“Hibernation images are used when a laptop goes to sleep and contains the contents that were stored in RAM at the moment the device powered down,” Breen noted. “This presents a significant potential impact as RAM can contain sensitive data (such as passwords, credentials and PII) that may have been in open documents or browser sessions and can all be recovered with free tools from hibernation files.”.

Tenable’s Narang also highlighted a trio of vulnerabilities in Microsoft Access fixed this month and credited to [website], a security research effort that is aided by artificial intelligence looking for vulnerabilities in code. Tracked as CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395, these are remote code execution bugs that are exploitable if an attacker convinces a target to download and run a malicious file through social engineering. [website] was also credited with discovering a flaw in the December 2024 Patch Tuesday release (CVE-2024-49142).

“Automated vulnerability detection using AI has garnered a lot of attention lately, so it’s noteworthy to see this service being credited with finding bugs in Microsoft products,” Narang observed. “It may be the first of many in 2025.”.

If you’re a Windows user who has automatic updates turned off and haven’t updated in a while, it’s probably time to play catch up. Please consider backing up essential files and/or the entire hard drive before updating. And if you run into any problems installing this month’s patch batch, drop a line in the comments below, please.

Further reading on today’s patches from Microsoft:

A 59-year-old man from Irvine, California, was sentenced to 87 months in prison for his involvement ...

The [website] Justice Department has charged a Canadian man with stealing roughly $65 million after explo...

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulner...