- Security researcher finds related attacks and dubbed them Clone2Leak
- This allowed threat actors to leak credentials through Git’s credential helper
- Patches are already available, so update now
A number of flaws was recently found in distributed version control system Git’s credential helper which allowed malicious actors to exfiltrate login credentials from different projects. It was responsibly disclosed to the developers and shut down.
Git’s credential helper is a feature that securely manages credentials (usernames and passwords, or personal access tokens) required to authenticate with remote repositories. It simplifies authentication by caching or storing credentials so users don’t need to repeatedly enter them for every Git operation.
Recently, a cybersecurity researcher from the Japanese GMO Flatt Security outfit, alias RyotaK, found three separate, but related attacks, and dubbed them “Clone2Leak.” He explained that the flaws revolve around the improper handling of authentication messages sent to the credential helper. As a result, Git could end up sharing stored credentials to a malicious server.
Multiple flaws
GitHub Desktop, Git LFS, GitHub CLI/Codespaces, and the Git Credential Manager, were said to be vulnerable.
Clone2Leak comprises these three flaws: CVE-2025-23040, CVE-2024-50338, and CVE-2024-53263. The first two are described as “carriage return smuggling” flaws affecting GitHub Desktop and Git Credential Manager, while the third one is described as “newline injection” in Git LFS. The researcher also discovered a logic flaw in credential retrieval, tracked as CVE-2024-53858, affecting CitHub CLI and GitHub Codespaces.
Users are now urged to migrate to the safe releases to mitigate the risk of potential credential leakage.
All of the above-mentioned bugs have since been addressed, and users are now urged to update their tools, audit credential configurations, and be extra careful when cloning repositories. That being said, the versions they should go for include GitHub Desktop 3.4.12, Git Credential Manager 2.6.1, Git LFS 3.6.1, and gh cli 2.63.0.
Users should also enable Git’s ‘credential.protectProtocol’, it was said.
Via BleepingComputer
Leave a comment