Git GUI's Hidden Danger: Unpacking CVE-2025-46334's Arbitrary Code Execution Risk

Introduction

Git GUI, a widely-used graphical interface for Git on Windows, has recently been exposed to a critical vulnerability (CVE-2025-46334) that could allow attackers to execute arbitrary code simply by enticing users to interact with malicious repositories. Given Git's central role in software development, this vulnerability poses a significant threat to countless development environments, potentially leading to severe security breaches and system compromises.

Technical Information

CVE-2025-46334 exploits a fundamental flaw in Git GUI's implementation of Tcl/Tk on Windows. Specifically, when users select menu options such as 'Git Bash' or 'Browse Files', Git GUI searches for and executes helper binaries like sh.exe or text conversion utilities (astextplain) from the current working directory, typically the repository's root. Windows path resolution behavior prioritizes executables in the current directory, allowing attackers to embed malicious executables within repositories.

This vulnerability is reminiscent of CVE-2022-41953, which involved similar path traversal issues. The recurrence indicates ongoing challenges in securely handling executable paths within Git GUI's Windows implementation. Attackers exploit this vulnerability by crafting repositories containing malicious executables named identically to legitimate binaries. When users interact with these repositories via Git GUI, the malicious executables run without warning, inheriting the user's privileges and potentially leading to full system compromise.

Patch Information

To address the vulnerabilities CVE-2024-50349 and CVE-2024-52006, the Git project has implemented specific patches aimed at enhancing the security of credential handling and user interaction prompts.

CVE-2024-50349: Mitigating Malicious ANSI Escape Sequences in Prompts

Previously, when Git required user credentials interactively without a credential helper, it would display the hostname after URL-decoding it. This behavior allowed attackers to craft URLs containing ANSI escape sequences, potentially leading to misleading prompts that could deceive users into providing credentials for unintended hosts.

The patch ensures Git sanitizes the hostname before displaying it, stripping out ANSI escape sequences and preventing malicious manipulation of prompts.

CVE-2024-52006: Preventing Credential Helper Injection via Carriage Return Characters

An identified vulnerability allowed URLs containing carriage return characters to inject unintended values into the credential helper protocol stream. The patch introduces strict validation, explicitly rejecting URLs with carriage return characters, thereby securing communication between Git and credential helpers.

These patches have been incorporated into Git version 2.48.1. Users are strongly encouraged to upgrade to this version to benefit from these security improvements.

Git security vulnerabilities announced

Affected Systems and Versions

Git GUI for Windows versions prior to 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1 are affected. Users running these versions should immediately upgrade to the latest patched versions to mitigate the risk.

Vendor Security History

Git has previously encountered similar path traversal vulnerabilities, notably CVE-2022-41953. The vendor has consistently demonstrated responsiveness in addressing security issues, typically releasing patches within weeks of vulnerability disclosure. However, repeated vulnerabilities in Windows-specific components suggest a need for enhanced security audits and architectural improvements.

References

Security teams and developers must act swiftly to apply these patches and mitigate this critical vulnerability, ensuring the integrity and security of their development environments.

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]