Clone2Leak: Git Vulnerabilities Expose Credentials to Theft

by

A series of three interconnected vulnerabilities, collectively referred to as ‘Clone2Leak,’ expose Git users to credential theft by exploiting flaws in authentication handling within Git and its credential helpers.

These vulnerabilities, discovered by RyotaK from GMO Flatt Security, could allow attackers to compromise passwords and access tokens for platforms like GitHub Desktop, Git LFS, GitHub CLI/Codespaces, and the Git Credential Manager. The researcher responsibly disclosed the flaws, and security updates have been released to address them.

Understanding Clone2Leak Attacks

Clone2Leak exploits improper handling of authentication requests sent to credential helpers. These helpers manage credentials for Git operations, streamlining the authentication process. Attackers can abuse these flaws to trick Git into leaking stored credentials during interactions with malicious repositories.

The Three Attack Methods:

  1. Carriage Return Smuggling
    • CVE-2025-23040 and CVE-2024-50338
    • Vulnerable systems: GitHub Desktop and Git Credential Manager
    • Description: Malicious submodule URLs using %0D (carriage return characters) trick credential helpers into sending GitHub credentials to an attacker-controlled server.
  2. Newline Injection
    • CVE-2024-53263
    • Vulnerable systems: Git LFS
    • Description: Improper handling of newline characters (\n) in .lfsconfig files bypasses Git’s security. Attackers can redirect credential requests to malicious servers.
  3. Logic Flaws in Credential Retrieval
    • CVE-2024-53858
    • Vulnerable systems: GitHub CLI and GitHub Codespaces
    • Description: Overly permissive credential helpers inadvertently send authentication tokens to attacker-controlled servers when interacting with malicious repositories.

Protecting Against Clone2Leak

All affected tools have received security patches, and users are strongly urged to update to the following safe versions:

  • GitHub Desktop: 3.4.12 or newer
  • Git Credential Manager: 2.6.1 or newer
  • Git LFS: 3.6.1 or newer
  • GitHub CLI (gh): 2.63.0 or newer

Additional Recommendations

  • Enable Git’s credential.protectProtocol setting to strengthen defenses against credential smuggling.
  • Audit credential configurations for vulnerabilities.
  • Exercise caution when cloning repositories, especially from untrusted sources.

Although there are no reports of active exploitation, the public disclosure of these vulnerabilities increases the risk. Updating and securing tools promptly is essential to mitigate potential attacks.

Leave a Comment