// For flags

CVE-2024-53263

Git LFS permits exfiltration of credentials via crafted HTTP URLs

Severity Score

8.5
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.

A flaw was found in the Git LFS git extension. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials.

An update that fixes one vulnerability is now available. This update for git-lfs fixes the following issues. This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263. When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the git-credential command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed or carriage return characters into the URL, an attacker might have been able to retrieve a user's Git credentials. Git LFS now prevents bare line feed characters from being included in the values sent to the git-credential command, and also prevents bare carriage return characters from being included unless the credential.protectProtocol configuration option is set to a value equivalent to false.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
Active
System
Vulnerable | Subsequent
Confidentiality
High
None
Integrity
High
None
Availability
None
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-11-19 CVE Reserved
  • 2025-01-14 CVE Published
  • 2025-01-28 CVE Updated
  • 2025-05-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Git-lfs
Search vendor "Git-lfs"
 Git-lfs
Search vendor "Git-lfs" for product "Git-lfs"
 >= 0.1.0 < 3.6.1
Search vendor "Git-lfs" for product "Git-lfs" and version " >= 0.1.0 < 3.6.1"
en
Affected