Vulnerabilities in Git Projects Expose User Credentials
/ 1 min read
🦠 Multiple vulnerabilities discovered in Git-related projects expose user credentials. Security engineer RyotaK identified several critical vulnerabilities while investigating GitHub Desktop and other Git-related tools, allowing malicious repositories to leak user credentials through improper handling of the Git Credential Protocol. Key issues include carriage return smuggling in GitHub Desktop and Git Credential Manager, as well as newline injection vulnerabilities in Git LFS. Additionally, the GitHub CLI and GitHub Codespaces were found to leak access tokens to arbitrary hosts due to flawed logic in their credential handling. Git has since implemented mitigations to address these vulnerabilities, emphasizing the need for robust security practices in text-based protocols. The findings aim to enhance security within the Git community and encourage further research.
