Git credential helper vulnerability announced
Learn more about the security vulnerabilities affecting Git 2.26 and older.
Today, the Git project released new versions to address a security vulnerability in the credential helper mechanism that affects versions 2.26 and older.
These updates address an issue where a malformed remote URL (for example, from a git clone
, either directly, or as part of a submodule) can inject arbitrary data into the credential helper protocol stream. If you use a credential helper[1], this can be used to exfiltrate your credentials for one repository to an arbitrary destination.
Upgrade to the latest Git version
The most effective way to protect against this vulnerability is to upgrade to 2.26.1. If you can’t update immediately, reduce your risk with the following:
- Avoid running
git clone
with--recurse-submodules
against untrusted repositories - Avoid using the credential helper by only cloning publicly available repositories
GitHub has also taken proactive action in order to protect against these attacks. Specifically, we:
- Deployed a change to prevent malicious
.gitmodules
files from being pushed to GitHub.com - Scheduled a GitHub Desktop release for later today that prevents exploiting this vulnerability
- Patched recent releases of GitHub Enterprise[2] to prevent this vulnerability in Pages
Credit for finding these vulnerabilities goes to Felix Wilhelm of Google Project Zero.
[1]: Many Git users have credential helpers configured to use credentials from their operating system’s keychain.
[2]: These fixes were included in the supported release series, specifically: 2.17.21, 2.18.15, 2.19.10, and 2.20.4. A subsequent release next week will ship the same patches we use on GitHub.com to prevent malicious .gitmodules
from being pushed to your installation.
Tags:
Written by
Related posts
What the EU’s new software legislation means for developers
The EU Cyber Resilience Act will introduce new cybersecurity requirements for software released in the EU. Learn what it means for your open source projects and what GitHub is doing to ensure the law will be a net win for open source maintainers.
Game Off 2024 theme announcement
GitHub’s annual month-long game jam, where creativity knows no limits! Throughout November, dive into your favorite game engines, libraries, and programming languages to bring your wildest game ideas to life. Whether you’re a seasoned dev or just getting started, it’s all about having fun and making something awesome!
Highlights from Git 2.47
Git 2.47 is here, with features like incremental multi-pack indexes and more. Check out our coverage of some of the highlights here.