Git credential helper vulnerability announced (Update)
Learn more about the security vulnerabilities affecting Git 2.26.1 and older.
A couple of days ago, Git released v2.26.1 to address a critical vulnerability in the credential helper mechanism. Today, the Git project is releasing another round of updates to address a related issue that’s present in v2.26.1 and older.
This vulnerability allows a malformed URL to create a credential pattern inside Git with some fields left blank. Many credential helpers interpret these blank values as an instruction to match any credential. This can result in leaking values from the underlying credential store to untrusted sources, sending the password stored for one server to another.
These updates address this new issue by not invoking the credential helper at all when the URL contains an un-representable value.
Note that not all credential helpers behave in a way that triggers the vulnerability. Git’s own store and cache helpers, along with the osxkeychain helper, are known to be vulnerable. Git Credential Manager for Windows is known to be unaffected. Other helpers should be assumed to be affected.
Upgrade to the latest Git version
The most effective way to protect against this vulnerability is to upgrade to v2.26.2. If you can’t update your client immediately, reduce your risk by following the same guidelines we recommend for v2.26.1:
- Avoid running git clone with
--recurse-submodulesagainst untrusted repositories. - Avoid using the credential helper by only cloning publicly available repositories
GitHub has implemented additional steps on top of the ones we took to protect against the attacks discovered in v2.26.1. Specifically, that means:
- Malicious
.gitmodules(including new variants discovered in v2.26.2) are blocked from being pushed to GitHub.com. - A new GitHub Desktop release is being prepared that prevents exploiting the new vulnerability.
- The next patch release of GitHub Enterprise Server backports the push-blocking changes we’re using on GitHub.com. Note that installations themselves are not vulnerable to this new attack.
Credit for finding these vulnerabilities goes to Carlo Arenas, as well as further analysis by Jonathan Nieder of Google.
Tags:
Written by
Related posts
From karaoke terminals to AI résumés: The winners of GitHub’s For the Love of Code challenge
This summer, we invited devs to participate in our hackathon for joyful, ridiculous, and wildly creative projects. Here are the winners of For the Love of Code!
Inside the breach that broke the internet: The untold story of Log4Shell
Log4Shell proved that open source security isn’t guaranteed and isn’t just a code problem. It’s about supporting, enabling, and empowering the people behind the projects that build our digital infrastructure.
Accelerate developer productivity with these 9 open source AI and MCP projects
GitHub Copilot and VS Code teams, along with the Microsoft Open Source Program Office (OSPO), sponsored these nine open source MCP projects that provide new frameworks, tools, and assistants to unlock AI-native workflows, agentic tooling, and innovation.