The Git project has released a critical security update, version 2.50.1, addressing seven vulnerabilities affecting all previous Git versions. It resolves issues that could potentially lead to arbitrary code execution and file manipulation.
One of the significant vulnerabilities (CVE-2025-48384) involves improper handling of trailing carriage return and line feed characters when reading and writing configuration values. This could lead attackers to execute arbitrary code via submodule hooks.
Another related issue (CVE-2025-48385) concerns Git’s insufficient validation when fetching repository bundles, which allows attackers to exploit protocol injection and potentially write files to arbitrary locations.
On the Windows platform, vulnerability CVE-2025-48386 highlights a buffer overflow risk associated with the Wincred credential helper, which is employed during authenticated Git operations. This vulnerability could enable malicious actors to compromise user systems through overflow attacks.
Furthermore, this update addresses four vulnerabilities specifically in Git’s graphical interfaces, namely Gitk and Git GUI. These interfaces, based on Tcl/Tk, provide visual interaction with Git repositories. Vulnerabilities such as CVE-2025-27613 and CVE-2025-27614 involve Gitk’s mishandling of specially crafted repositories or filenames, enabling arbitrary file manipulation and execution of attacker-supplied scripts.
The Windows-specific CVE-2025-46334 in Git GUI presents a scenario where malicious executables located within a repository’s working directory could be inadvertently invoked by users interacting with the GUI. CVE-2025-46335 further illustrates the risks associated with file manipulation vulnerabilities in Git GUI, similar to CVE-2025-27613, which allows attackers to overwrite arbitrary files.
To mitigate these vulnerabilities effectively, users are strongly recommended to update to Git 2.50.1 immediately. For those unable to upgrade promptly, temporary measures include avoiding recursive submodule cloning from untrusted sources, disabling automatic bundle fetching, refraining from using the Wincred credential helper on Windows, and not running Git GUI or Gitk in untrusted repositories.
For more information, refer to the official announcement.
