These updates address an issue where a malformed remote URL (for example, from a
git clone, either directly, or as part of a submodule) can inject arbitrary data into the credential helper protocol stream. If you use a credential helper, this can be used to exfiltrate your credentials for one repository to an arbitrary destination.
The most effective way to protect against this vulnerability is to upgrade to 2.26.1. If you can’t update immediately, reduce your risk with the following:
- Avoid running
--recurse-submodulesagainst untrusted repositories
- Avoid using the credential helper by only cloning publicly available repositories
GitHub has also taken proactive action in order to protect against these attacks. Specifically, we:
- Deployed a change to prevent malicious
.gitmodulesfiles from being pushed to GitHub.com
- Scheduled a GitHub Desktop release for later today that prevents exploiting this vulnerability
- Patched recent releases of GitHub Enterprise to prevent this vulnerability in Pages
Credit for finding these vulnerabilities goes to Felix Wilhelm of Google Project Zero.
: These fixes were included in the supported release series, specifically: 2.17.21, 2.18.15, 2.19.10, and 2.20.4. A subsequent release next week will ship the same patches we use on GitHub.com to prevent malicious
.gitmodules from being pushed to your installation.