Git项目发布新版本，以解决影响所有先前版本的七个安全漏洞。这些漏洞涉及配置、克隆、凭证处理以及 Git GUI 和 Gitk 工具。攻击者可能利用这些漏洞执行任意代码或写入任意文件。为了保护用户，建议升级到 Git 2.50.1，并采取其他预防措施，如避免对不受信任的存储库使用 --recurse-submodules、禁用自动获取 bundle URI，以及避免在 Windows 上使用 wincred 凭证助手。GitHub 已采取积极措施，更新 GitHub Desktop、Codespaces 和 Actions 中的 Git 版本。

🐛 CVE-2025-48384: Git 在处理配置值时，会移除尾随回车符（CR）和换行符（LF）。当初始化子模块路径包含尾随 CR 字符时，会导致子模块在错误的位置被检出，攻击者可以通过子模块的 post-checkout 钩子执行任意代码。

💥 CVE-2025-48385: Git 在克隆存储库时，未正确验证 bundle，允许远程端执行协议注入。 特别构造的 bundle 可能导致客户端将 bundle 写入任意位置，进而可能导致代码执行。

🛡️ CVE-2025-48386 (仅限 Windows): Git 在使用 Wincred 凭证助手时，由于缓冲区边界检查不当，可能发生缓冲区溢出。

🐞 CVE-2025-27613 (Gitk): 在特定构造的存储库中运行 Gitk 时，可能写入和截断任意可写文件。

⚠️ CVE-2025-27614 (Gitk): 用户在运行 gitk filename (filename 具有特定结构) 时，可能运行攻击者提供的脚本，导致任意代码执行。

💻 CVE-2025-46334 (Git GUI, 仅限 Windows): 在恶意存储库中，如果包含 sh.exe 或常用 textconv 程序，Windows 上的路径查找可能定位这些程序，导致任意代码执行。

🔨 CVE-2025-46335 (Git GUI): 用户在不受信任的存储库中编辑特定命名的目录中的文件时，Git GUI 可以创建和覆盖任意可写文件。

Today, the Git project released new versions to address seven security vulnerabilities that affect all prior versions of Git.

Vulnerabilities in Git

CVE-2025-48384

When reading a configuration value, Git will strip any trailing carriage return (CR) and line feed (LF) characters. When writing a configuration value, however, Git does not quote trailing CR characters, causing them to be lost when they are read later on. When initializing a submodule whose path contains a trailing CR character, the stripped path is used, causing the submodule to be checked out in the wrong place.

If a symlink already exists between the stripped path and the submodule’s hooks directory, an attacker can execute arbitrary code through the submodule’s post-checkout hook.

[source]

CVE-2025-48385

When cloning a repository, Git can optionally fetch a bundle, allowing the server to offload a portion of the clone to a CDN. The Git client does not properly validate the advertised bundle(s), allowing the remote side to perform protocol injection. When a specially crafted bundle is advertised, the remote end can cause the client to write the bundle to an arbitrary location, which may lead to code execution similar to the previous CVE.

[source]

CVE-2025-48386 (Windows only)

When cloning from an authenticated remote, Git uses a credential helper in order to authenticate the request. Git includes a handful of credential helpers, including Wincred, which uses the Windows Credential Manager to store its credentials.

Wincred uses the contents of a static buffer as a unique key to store and retrieve credentials. However, it does not properly bounds check the remaining space in the buffer, leading to potential buffer overflows.

[source]

Vulnerabilities in Git GUI and Gitk

This release resolves four new CVEs related to Gitk and Git GUI. Both tools are Tcl/Tk-based graphical interfaces used to interact with Git repositories. Gitk is focused on showing a repository’s history, whereas Git GUI focuses on making changes to existing repositories.

CVE-2025-27613 (Gitk)

When running Gitk in a specially crafted repository without additional command-line arguments, Gitk can write and truncate arbitrary writable files. The “Support per-file encoding” option must be enabled; however, the operation of “Show origin of this line” is affected regardless.

[source]

CVE-2025-27614 (Gitk)

If a user is tricked into running gitk filename (where filename has a particular structure), they may run arbitrary scripts supplied by the attacker, leading to arbitrary code execution.

[source]

CVE-2025-46334 (Git GUI, Windows only)

If a malicious repository includes an executable sh.exe, or common textconv programs (for e.g.,  astextplain, exif, or ps2ascii), path lookup on Windows may locate these executables in the working tree. If a user running Git GUI in such a repository selects either the “Git Bash” or “Browse Files” from the menu, these programs may be invoked, leading to arbitrary code execution.

[source]

CVE-2025-46335 (Git GUI)

When a user is tricked into editing a file in a specially named directory in an untrusted repository, Git GUI can create and overwrite arbitrary writable files, similar to CVE-2025-27613.

[source]

Upgrade to the latest Git version

The most effective way to protect against these vulnerabilities is to upgrade to Git 2.50.1, the newest release containing fixes for the aforementioned vulnerabilities. If you can’t upgrade immediately, you can reduce your risk by doing the following:

Avoid running git clone with --recurse-submodules against untrusted repositories.Disable auto-fetching bundle URIs by setting the transport.bundleURI configuration value to “false.”Avoid using the wincred credential helper on Windows.Avoid running Gitk and Git GUI in untrusted repositories.

In order to protect users against attacks related to these vulnerabilities, GitHub has taken proactive steps. Specifically, we have scheduled releases of GitHub Desktop. GitHub Codespaces and GitHub Actions will update their versions of Git shortly. GitHub itself, including Enterprise Server, is unaffected by these vulnerabilities.

---

CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386 were discovered by David Leadbeater. Justin Tobler and Patrick Steinhardt provided fixes for CVEs 2025-48384 and 2025-48385 respectively. The fix for CVE-2025-48386 is joint work between Taylor Blau and Jeff King

CVE-2025-46835 was found and fixed by Johannes Sixt. Mark Levedahl discovered and fixed CVE-2025-46334. Avi Halachmi discovered both CVE-2025-27613 and CVE-2025-27614, and fixed the latter. CVE-2025-27613 was fixed by Johannes Sixt.

The post Git security vulnerabilities announced appeared first on The GitHub Blog.