Critical security vulnerabilities in Git-related projects, including GitHub Desktop, Git Credential Manager, Git LFS, and GitHub Codespaces, were recently uncovered and involved improper handling of text-based protocols, allowing attackers to potentially leak user credentials.
This discovery highlights significant risks in software security, particularly in credential management mechanisms.
Git uses the Git Credential Protocol to retrieve credentials from a credential helper, which stores and provides them (e.g., git-credential-store, git-credential-winstore, git-credential-osxkeychain). Improper message handling has led to vulnerabilities and potential credential leaks in many projects.
Git communicates with the credential helper by exchanging messages, such as:
Request:
protocol=https
host=github.com Response:
protocol=https
host=github.com
username=USERNAME
password=PASSWORD Messages are newline-separated and parsed by both sides. To prevent property injection, Git blocks newline characters and NULL bytes in property names and values.
Credential Vulnerabilities Explained
GitHub Desktop (CVE-2025-23040) faced a credential vulnerability due to its credential helper, which allowed attackers to exploit “carriage return smuggling” by crafting malicious repository URLs.
This exploit leveraged differences in newline character parsing between Git and GitHub Desktop, enabling the leakage of user credentials to unauthorized hosts.
Similarly, Git Credential Manager (CVE-2024-50338) suffered from improper usage of the .NET StreamReader class, where incorrect parsing of newline and carriage return characters allowed attackers to leak credentials via crafted URLs.
public TextReader In
{
get
{
if (_stdIn == null)
{
_stdIn = new StreamReader(Console.OpenStandardInput(), EncodingEx.UTF8NoBom);
}
return _stdIn;
}
}
Git Large File Storage (LFS) (CVE-2024-53263) also exhibited vulnerabilities when processing maliciously crafted .lfsconfig files.
Attackers could inject newline characters to bypass validation and expose user credentials to malicious hosts. GitHub CLI (CVE-2024-53858) experienced a logic vulnerability where access tokens were mistakenly sent to arbitrary hosts.
The issue stemmed from a flawed function, IsEnterprise, which failed to properly differentiate GitHub-owned instances from external domains.
Lastly, GitHub Codespaces Credential Helper had a significant flaw: it always returned the GITHUB_TOKEN, regardless of the requested host.
This vulnerability exposed access tokens when repositories cloned within a Codespace interacted with malicious domains, leading to potential credential leaks.
The vulnerabilities were identified by RyotaK, a security engineer at GMO Flatt Security Inc., during their participation in the GitHub Bug Bounty program. The findings, shared through a detailed blog post, have since prompted mitigations and patches by the affected platforms.
In response to these discoveries, Git developers and the GitHub team introduced several mitigations:
- Defense-in-Depth Validation (CVE-2024-52006): Git added a new
credential.protectProtocolconfiguration, enabled by default, which rejects credentials containing carriage return characters. - GitHub Codespaces revised its credential helper to validate requested hosts before sharing credentials.
- GitHub Desktop and Git Credential Manager implemented additional input sanitization to prevent carriage return smuggling.
The findings underscore the risks of improper handling in text-based protocols, particularly when dealing with credential exchanges. Even small architectural oversights can result in significant security breaches.
RyotaK emphasized the importance of robust validation and input sanitization in all software applications, especially those handling sensitive information like credentials.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
如有侵权请联系:admin#unsafe.sh