
The 2023 Open Source Program Office (OSPO) Survey is live!
Help quantify the state of enterprise open source by taking the 2023 OSPO survey.
Learn more about the security vulnerabilities affecting Git 2.26 and older.
Today, the Git project released new versions to address a security vulnerability in the credential helper mechanism that affects versions 2.26 and older.
These updates address an issue where a malformed remote URL (for example, from a git clone
, either directly, or as part of a submodule) can inject arbitrary data into the credential helper protocol stream. If you use a credential helper[1], this can be used to exfiltrate your credentials for one repository to an arbitrary destination.
The most effective way to protect against this vulnerability is to upgrade to 2.26.1. If you can’t update immediately, reduce your risk with the following:
git clone
with --recurse-submodules
against untrusted repositoriesGitHub has also taken proactive action in order to protect against these attacks. Specifically, we:
.gitmodules
files from being pushed to GitHub.comCredit for finding these vulnerabilities goes to Felix Wilhelm of Google Project Zero.
[1]: Many Git users have credential helpers configured to use credentials from their operating system’s keychain.
[2]: These fixes were included in the supported release series, specifically: 2.17.21, 2.18.15, 2.19.10, and 2.20.4. A subsequent release next week will ship the same patches we use on GitHub.com to prevent malicious .gitmodules
from being pushed to your installation.