Security Affairs
Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Multiple Git flaws led to credentials compromise

Vulnerabilities in the Git credential retrieval protocol could have allowed threat actors to access user credentials. Security researcher RyotaK from GMO Flatt Security Inc discovered multiple vulnerabilities in the Git credential retrieval protocol that could have allowed threat actors to access user credentials. The vulnerabilities stem from the improper handling of messages in Git’s credential […]

Git

Vulnerabilities in the Git credential retrieval protocol could have allowed threat actors to access user credentials.

Security researcher RyotaK from GMO Flatt Security Inc discovered multiple vulnerabilities in the Git credential retrieval protocol that could have allowed threat actors to access user credentials.

The vulnerabilities stem from the improper handling of messages in Git’s credential retrieval protocol.

In October 2024, the researcher while hunting bugs for the GitHub Bug Bounty program shifted focus from GitHub Enterprise Server to GitHub Desktop. Upon reviewing its source code, he discovered a bug allowing malicious repositories to leak user credentials. Intrigued, the expert decided to analyze other Git-related projects, uncovering several additional vulnerabilities.

The Git Credential Protocol was used to retrieve credentials from helpers like git-credential-store and git-credential-osxkeychain, the researcher RyotaK discovered multiple flaws causing credential leakage.

Git retrieves credentials from helpers by exchanging structured messages separated by newline characters. To prevent property injection, Git blocks newline and NULL bytes in property names and values.

The researcher discovered that GitHub Desktop’s credential helper, “trampoline,” improperly handled the Git Credential Protocol due to differences in how line terminators (\n, \r, etc.) were processed. An attacker can use a crafted URL with carriage return (%0d) to manipulate how the credentials are parsed. This caused GitHub Desktop to associate credentials with the wrong host (e.g., github.com instead of localhost), leading to credential leaks.

This GitHub Desktop improper regular expression issue has been tracked as CVE-2025-23040.

The researcher also reported a Git LFS newline injection, tracked as CVE-2024-53263, that could lead to credential compromise.

The Git’s researchers addressed the vulnerabilities caused by carriage return smuggling, and tracked by the organization as CVE-2024-52006), by introducing a defense-in-depth measure by validating the credential protocol. A new credential.protectProtocol configuration, enabled by default, blocks URLs containing carriage return characters (\r). This patch mitigates potential credential leaks across all credential helpers, including Git LFS.

GitHub CLI was found to leak access tokens to arbitrary hosts (CVE-2024-53858) due to a logic flaw in its tokenForHost function. While not affected by carriage return smuggling, the IsEnterprise function incorrectly classified non-GitHub-owned hosts as enterprise hosts, allowing access tokens (e.g., GH_ENTERPRISE_TOKEN or GITHUB_TOKEN) to be sent to malicious hosts. The expert pointed out that the flaw is especially critical in GitHub Codespaces, where the CODESPACES environment variable is always set to true, enabling token leakage when cloning malicious repositories.

“As we saw, text-based protocols are often vulnerable to injection, and a small architecture flaw can lead to a big security issue.” reads the report published by the researcher. “I hope that this research helped the Git community to improve its security, and I am looking forward to seeing further research on Git-related projects.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, credential leakage)