Critical GitHub Vulnerability Exposes User Credentials Through Malicious Repositories

How Credential Vulnerabilities Work

Git uses the Git Credential Protocol to exchange credentials between the client and a helper program. Improper validation of input messages in these tools allowed malicious actors to exploit newline and carriage return (\r and \n) characters, leading to credential leaks.

Key Vulnerabilities Identified

GitHub Desktop (CVE-2025-23040):Malicious repository URLs exploited differences in newline handling to trick GitHub Desktop into leaking GitHub credentials.

1. Git Credential Manager (CVE-2024-50338):The .NET StreamReader improperly parsed newline and carriage return characters, enabling similar attacks.
2. Git LFS (CVE-2024-53263):Malicious .lfsconfig files bypassed validation, leaking credentials to unauthorized hosts.
3. GitHub CLI (CVE-2024-53858):A logic flaw in differentiating enterprise and external domains caused access tokens to be sent to arbitrary hosts.
4. GitHub Codespaces: The credential helper always returned the GITHUB_TOKEN, exposing tokens to malicious domains during repository interactions.

Mitigations and Fixes

• Git: Added credential.protectProtocol (enabled by default) to block carriage return smuggling.
• GitHub Desktop & Credential Manager: Improved input sanitization to handle crafted URLs.
• GitHub Codespaces: Updated credential helpers to validate requested hosts before returning tokens.

Importance of Secure Protocol Handling

The vulnerabilities highlight the risks associated with improper handling in text-based protocols, particularly in credential exchanges. Small misalignments in protocol implementation can result in significant security breaches. Developers are encouraged to ensure strict compliance with protocol specifications and to introduce validation layers to mitigate the risk of injection attacks.