- Description
- GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 6.6
- Impact score
- 5.2
- Exploitability score
- 1.3
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-522
- Hype score
- Not currently trending
Git に CVE-2025-23040 などの複数の脆弱性:認証情報の漏洩の可能性 https://t.co/xtLuPIG95M GIt 関連の4件の脆弱性が発見されましたが、GMO Flatt Security のセキュリティ研究者である RyotaK さんが報告者というのも嬉しいですね。ご利用のチームは、ご注意ください。 #Asia… https://t.co/hyvhIN324r
@iototsecnews
5 Feb 2025
61 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
1/8 New #Git vulnerabilities have been discovered! CVE-2025-23040 and Clone2Leak could expose your credentials. Learn how these vulnerabilities work and how to protect your development environment. 🔒 #CyberSecurity @gitlab
@Eth1calHackrZ
29 Jan 2025
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔒⚠ ¡ALERTA DE SEGURIDAD! Vulnerabilidad en GitHub Desktop permite la filtración de credenciales (CVE-2025-23040). 🛡 Actualiza ahora a la última versión para proteger tu información y evitar accesos no autorizados. https://t.co/1xru08CPQQ
@tpx_Security
28 Jan 2025
32 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Threat Alert: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs CVE-2025-23040 CVE-2024-53858 CVE-2024-52006 Severity: 🔴 High Maturity: 💥 Mainstream Learn more: https://t.co/LzUSSG15cF #CyberSecurity #ThreatIntel #InfoSec
@fletch_ai
28 Jan 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A vulnerability in Git's credential retrieval could expose sensitive information. Tracked as CVE-2025-23040, patches have been released to address these issues. Stay secure! 🔒 #GitHub #DataLeak #Japan link: https://t.co/mftz9hqAND https://t.co/a4wrhV5E4S
@TweetThreatNews
27 Jan 2025
45 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes