Security researchers have recently uncovered multiple vulnerabilities in GitHub Desktop Vulnerability and related Git projects, potentially allowing attackers to access user credentials without authorization. The discovery highlights the importance of maintaining updated software and adhering to secure practices when working with Git and GitHub tools. These vulnerabilities, collectively known as Clone2Leak, reveal significant risks to sensitive data, emphasizing the need for proactive security measures.
Understanding the Vulnerabilities: Clone2Leak Breakdown
The vulnerabilities fall into four key categories, each with varying degrees of risk:
- CVE-2025-23040 (CVSS score: 6.6):
- Exploits maliciously crafted remote URLs, leading to credential leaks in GitHub Desktop.
- CVE-2024-50338 (CVSS score: 7.4):
- Utilizes carriage-return characters in remote URLs to expose credentials in Git Credential Manager.
- CVE-2024-53263 (CVSS score: 8.5):
- Exploits Git LFS (Large File Storage) to retrieve credentials via crafted HTTP URLs.
- CVE-2024-53858 (CVSS score: 6.5):
- Leaks authentication tokens through recursive repository cloning in GitHub CLI when submodules are hosted on non-GitHub platforms.
Also Read: New Banshee Stealer Variant Bypasses macOS Antivirus with Encryption
Technical Insights Into Vulnerabilities
Carriage Return Smuggling in GitHub Desktop (CVE-2025-23040):
The Git Credential Protocol retrieves credentials through credential helpers. However, GitHub Desktop’s improper handling of carriage-return characters (\r) allows an attacker to craft URLs that leak credentials. This vulnerability arises when the credential request from Git is misinterpreted by GitHub Desktop, exposing sensitive data to unauthorized hosts.
Git Credential Manager Weakness (CVE-2024-50338):
The Git Credential Manager NuGet package contains a similar flaw where carriage-return characters in crafted URLs expose credentials to unrelated hosts.
Git LFS Vulnerability (CVE-2024-53263):
Git LFS fails to validate embedded control characters, enabling attackers to inject carriage-return line feeds (CRLF) into HTTP URLs. This flaw further facilitates credential leaks during Git operations.
GitHub CLI Submodule Token Leak (CVE-2024-53858):
The GitHub CLI vulnerability arises from improperly configured environment variables (e.g., GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN, GITHUB_TOKEN) and the CODESPACES variable. When cloning a malicious repository on GitHub Codespaces, access tokens are exposed to attacker-controlled hosts.
Impact of Exploitation
Successful exploitation of these vulnerabilities can grant attackers unauthorized access to sensitive Git credentials, enabling them to:
- Access private repositories.
- Modify or delete source code.
- Exfiltrate data.
- Perform supply chain attacks by injecting malicious code into repositories.
Such exploits can have severe consequences for developers and organizations, including loss of intellectual property, reputational damage, and potential legal repercussions.
Also Read: AI’s Role in AI Generated Malware Variants and Evading Detection
GitHub’s Response and Mitigation Measures
GitHub has acted swiftly to address these vulnerabilities by patching the affected tools. Updates have been rolled out in the following versions:
- GitHub Desktop: Fixed in the latest update.
- Git Credential Manager NuGet package: Updated to prevent credential exposure.
- Git LFS: Resolved CRLF injection issues.
- GitHub CLI: Enhanced handling of access tokens to restrict leaks.
Standalone Git Project Patch (CVE-2024-52006):
The Git project treated the carriage-return smuggling issue as a standalone vulnerability (CVE-2024-52006, CVSS score: 2.1) and patched it in version v2.48.1.
Recommendations for Users
To safeguard against these vulnerabilities, users are urged to:
- Update Software:
Always use the latest versions of Git, GitHub Desktop, Git LFS, and GitHub CLI to ensure vulnerabilities are patched. - Avoid Untrusted Repositories:
Avoid runninggit clonewith the--recurse-submodulesflag on untrusted repositories. - Limit Use of Credential Helpers:
Where possible, use public repositories and avoid reliance on credential helpers. - Monitor Access Tokens:
Regularly audit environment variables such asGITHUB_TOKENand ensure proper restrictions are in place. - Enable Multi-Factor Authentication (MFA):
Strengthen account security by enabling MFA on GitHub accounts. - Practice Secure URL Usage:
Validate remote URLs and avoid sharing them in public or unverified forums.
Also Read: PearAI Secures $1M Seed After Controversy, Shifts Focus to AI Coding Framework
The Importance of Cybersecurity Hygiene
These vulnerabilities underline the necessity of robust cybersecurity hygiene, especially for tools integral to software development. As Git and GitHub tools play a central role in modern workflows, their security directly impacts the integrity of software products.
Organizations must conduct regular security assessments, train developers on secure coding practices, and adopt proactive monitoring systems to detect and mitigate risks.
FAQs
- What is the GitHub Desktop vulnerability?
GitHub Desktop is vulnerable to credential leaks via maliciously crafted URLs due to improper handling of carriage-return characters. - What is Clone2Leak?
Clone2Leak is the collective name for multiple vulnerabilities affecting GitHub Desktop, Git Credential Manager, Git LFS, and GitHub CLI. - How do attackers exploit these vulnerabilities?
Attackers craft malicious URLs or exploit environment variables to leak Git credentials or access tokens. - Which CVEs are associated with these vulnerabilities?
CVEs include CVE-2025-23040, CVE-2024-50338, CVE-2024-53263, and CVE-2024-53858. - What is the impact of these vulnerabilities?
Exploitation can result in unauthorized access to private repositories, data exfiltration, or supply chain attacks. - How can users mitigate the risks?
Update all Git-related tools, avoid untrusted repositories, and enable multi-factor authentication (MFA). - What updates have been released to address these flaws?
GitHub has patched the vulnerabilities in updated versions of GitHub Desktop, Git LFS, and GitHub CLI. - What is CVE-2024-52006?
CVE-2024-52006 addresses carriage-return smuggling in the Git project and is resolved in Git v2.48.1. - Are GitHub Codespaces affected by these flaws?
Yes, GitHub CLI vulnerabilities can leak tokens when cloning malicious repositories in Codespaces. - Why is updating Git tools essential?
Updating ensures vulnerabilities are patched, protecting your credentials and sensitive data from unauthorized access.