The team behind the distributed source management system Git has recently published corrective issues for versions 2.48.1, 2.41.3, 2.42.4, 2.43.6, 2.44.3, 2.45.3, 2.46.3, and v2.47.2. In these updates, two vulnerabilities have been identified and addressed:
- CVE-2024-50349 – This vulnerability involves the potential for information substitution during an interactive password request to repositories. The issue stems from a lack of proper hostname validation, allowing for symbolic encoding in URL encoding. An attacker could exploit this to manipulate the terminal and send a password from one host to another during recursive cloning of submodules using the Git Clone-Recurse-Submodules command.
- CVE-2024-52006 – This vulnerability affects the Credential Helper protocol used for transferring accounts with limited access. A flaw in the implementation allows for the injection of a carriage return character through specially crafted URLs, potentially leading to data manipulation and incorrect password transmission. The impact of this vulnerability varies based on how the carriage return symbol is interpreted in different implementations of the Credential Helper protocol.
Users who are unable to update Git are advised to avoid connecting to unverified external repositories using the Git Clone command with the -Recurse-Submodules flag. Additionally, it is recommended to steer clear of using credential helpers when cloning public repositories. Fixes for these vulnerabilities have also been released for GitHub Desktop (CVE-2025-23040), Git LFS (CVE-2024-53263), and Git Credential Manager (CVE-2024-50338).
/Reports, release notes, official announcements.