CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-48384 – Git allows arbitrary code execution through broken config quoting
https://notcve.org/view.php?id=CVE-2025-48384
08 Jul 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodu... • https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-436: Interpretation Conflict •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-48385 – Git alllows arbitrary file writes via bundle-uri parameter injection
https://notcve.org/view.php?id=CVE-2025-48385
08 Jul 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the... • https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655 • CWE-73: External Control of File Name or Path CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-48386 – Git allows a buffer overflow in 'wincred' credential helper
https://notcve.org/view.php?id=CVE-2025-48386
08 Jul 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v... • https://github.com/git/git/security/advisories/GHSA-4v56-3xvj-xvfr • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-52005 – The sideband payload is passed unfiltered to the terminal in git
https://notcve.org/view.php?id=CVE-2024-52005
15 Jan 2025 — Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that c... • https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329 • CWE-116: Improper Encoding or Escaping of Output CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 3.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-50349 – Git does not sanitize URLs when asking for credentials interactively
https://notcve.org/view.php?id=CVE-2024-50349
14 Jan 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escap... • https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8 • CWE-116: Improper Encoding or Escaping of Output CWE-147: Improper Neutralization of Input Terminators CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0CVE-2024-52006 – Newline confusion in credential helpers can lead to credential exfiltration in git
https://notcve.org/view.php?id=CVE-2024-52006
14 Jan 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. T... • https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g • CWE-116: Improper Encoding or Escaping of Output CWE-147: Improper Neutralization of Input Terminators CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 10.0EPSS: 0%CPEs: 7EXPL: 0CVE-2024-32465 – Git's protections for cloning untrusted repositories can be bypassed
https://notcve.org/view.php?id=CVE-2024-32465
14 May 2024 — Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixe... • http://www.openwall.com/lists/oss-security/2024/05/14/2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.9EPSS: 0%CPEs: 7EXPL: 0CVE-2024-32021 – Local Git clone may hardlink arbitrary user-readable files into the new repository's "objects/" directory
https://notcve.org/view.php?id=CVE-2024-32021
14 May 2024 — Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cl... • http://www.openwall.com/lists/oss-security/2024/05/14/2 • CWE-61: UNIX Symbolic Link (Symlink) Following CWE-547: Use of Hard-coded, Security-relevant Constants •
CVSS: 3.9EPSS: 0%CPEs: 7EXPL: 0CVE-2024-32020 – Cloning local Git repository by untrusted user allows the untrusted user to modify objects in the cloned repository at will
https://notcve.org/view.php?id=CVE-2024-32020
14 May 2024 — Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the t... • http://www.openwall.com/lists/oss-security/2024/05/14/2 • CWE-62: UNIX Hard Link CWE-281: Improper Preservation of Permissions •
CVSS: 8.1EPSS: 8%CPEs: 7EXPL: 2CVE-2024-32004 – Git vulnerable to Remote Code Execution while cloning special-crafted local repositories
https://notcve.org/view.php?id=CVE-2024-32004
14 May 2024 — Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. Git es un sistema de control de revisiones. • https://github.com/Wadewfsssss/CVE-2024-32004 • CWE-114: Process Control •