Skip to content

GitHub flaws allow attackers to leak user credentials

  • by
  • 2 min read

Several critical vulnerabilities were found in Git-related programs such as GitHub Desktop, Git Large File Storage (LFS), Git Credential Manager and GitHub Codespaces. The security flaws were associated with improper text-based protocol handling, which grants threat actors the ability to leak user credentials.

The vulnerabilities underlined significant risks in credential management operations in Git-related projects. The Git Credential Protocol uses credentials stored in a credential helper to access operations such as git-credential-store, git-credential-osxkeychain and git-credential-winstore. The flaws result from improper message handling, leading to a potential leak in user credentials from several projects.

Git establishes a connection with the credential helper using the following messages:

Request:

protocol=https
host=github.com

Response:

protocol=https
host=github.com
username=USERNAME
password=PASSWORD

The messages are separated with a newline and parsed on both ends. Git blocks characters separated using newline and NULL bytes inn property values and names to prevent property injection.

The credential flaw in GitHub Desktop was named CVE-2025-23040, and it allows hackers to abuse “carriage return smuggling” by using crafted malicious repository URLs. It leverages the difference in newline character parsing between Git and GitHub Desktop to leak user credentials to unauthorised hosts.

CVE-2024-50338, identified in Git Credential Manager, is a flaw caused by improper usage of the .NET StreamReader class, where incorrect parsing of newline and carriage return characters can be exploited through crafted URLs.

Git LFS displayed the CVE-2024-53263 vulnerability when processing maliciously crafted files. By injecting newline characters, validation could be bypassed by the malicious host and expose credentials.

GitHub CLI exhibited a logic flaw (CVE-2024-53858) that led to incorrect transmission of access tokens to arbitrary hosts due to the IsEnterprise function, which fails to differentiate between GitHub-owned domains and external pages.

The final vulnerability was found in GitHub Codespaces Credential Helper which always returned the “GITHUB_TOKEN” irrespective of the requested host.

The critical flaws were identified by RyotaK, a cybersecurity engineer of GMO Flatt Security Inc. during the GitHub Bug Bounty program. The findings highlight that even minor architectural oversights could pose significant risks and potentially lead to security breaches. It emphasised the importance of proper input sanitisation and validation in all related software, especially those which contain sensitive credentials.

In the News: Jamtara Cybercrime syndicate busted, ₹11Cr fraud uncovered

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>