- The security researcher finds related attacks and calls them Clone2leak
- This allowed the threat actors to filter credentials through the git credential assistant
- Pathers are now available, so update now
Recently, several defects were found in the distributed version control credential assistant that allowed malicious actors to exfilter the login credentials of different projects. The developers was revealed responsibly and closed.
Credential Helper de Git is a characteristic that safely manages credentials (user names and passwords, or personal access tokens) required to authenticate with remote repositories. Simplify the authentication when storing in cache or storing credentials so that users do not need to enter repeatedly for each git operation.
Recently, a cybersecurity researcher of the Japanese Gmo Flatt security outfit, aka Ryotak, found three separate but related attacks, and called them “Clone2leak.” He explained that the defects revolve around the inappropriate management of the authentication messages sent to the credential assistant. As a result, Git could end up sharing credentials stored to a malicious server.
Multiple defects
It is said that Github Desktop, Git LFS, Github Cli/Codespaces and Git Credential Manager are vulnerable.
Clone2leak includes these three defects: CVE-2025-23040, CVE-2024-50338 and CVE-2024-53263. The first two are described as “car return smuggling” failures that affect the Github Desktop and Credential Git Manager, while the third is described as “new line injection” in GIT LFS. The researcher also discovered a logical failure in the recovery of credentials, tracked as CVE-2024-53858, which affects the Cithub and Github code spaces.
Users are now urged to migrate to safe versions to mitigate the risk of potential credential leaks.
Since then, all the errors mentioned above have been addressed, and users are now urged to update their tools, audit credential configurations and be very careful when cloning repositories. That said, the versions they must seek include GitHub Desktop 3.4.12, Credential Git Manager 2.6.1, GIT LFS 3.6.1 and GH CLI 2.63.0.
Users must also enable the ‘credential.
Through Bleepingcomputer
