CVE-2025-23040 (GCVE-0-2025-23040)

Vulnerability from cvelistv5 – Published: 2025-01-15 17:25 – Updated: 2025-01-15 20:16
VLAI?
Summary
GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.
Severity ?
6.6 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE
  • CWE-522 - Insufficiently Protected Credentials
Assigner
References
Impacted products
Vendor Product Version
desktop desktop Affected: < 3.4.12
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-23040",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-15T20:16:29.404662Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-15T20:16:39.997Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "desktop",
          "vendor": "desktop",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.4.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user\u0027s credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it\u0027s possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-15T17:25:00.945Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/desktop/desktop/security/advisories/GHSA-36mm-rh9q-cpqq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/desktop/desktop/security/advisories/GHSA-36mm-rh9q-cpqq"
        },
        {
          "name": "https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps"
        },
        {
          "name": "https://git-scm.com/docs/git-credential",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git-scm.com/docs/git-credential"
        }
      ],
      "source": {
        "advisory": "GHSA-36mm-rh9q-cpqq",
        "discovery": "UNKNOWN"
      },
      "title": "Maliciously crafted remote URLs could lead to credential leak in GitHub Desktop"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-23040",
    "datePublished": "2025-01-15T17:25:00.945Z",
    "dateReserved": "2025-01-10T15:11:08.883Z",
    "dateUpdated": "2025-01-15T20:16:39.997Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-23040\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-15T18:15:24.797\",\"lastModified\":\"2025-01-15T18:15:24.797\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user\u0027s credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it\u0027s possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.\"},{\"lang\":\"es\",\"value\":\"GitHub Desktop es una aplicaci\u00f3n de GitHub de c\u00f3digo abierto basada en Electron dise\u00f1ada para el desarrollo de Git. Un atacante que convenza a un usuario de clonar un repositorio directamente o a trav\u00e9s de un subm\u00f3dulo puede permitirle acceder a las credenciales del usuario mediante el uso de una URL remota creada con fines malintencionados. GitHub Desktop depende de Git para realizar todas las operaciones relacionadas con la red (como clonar, obtener y enviar). Cuando un usuario intenta clonar un repositorio, GitHub Desktop invocar\u00e1 `git clone` y cuando Git encuentre un host remoto que requiera autenticaci\u00f3n, solicitar\u00e1 las credenciales para ese host remoto de GitHub Desktop utilizando el protocolo git-credential. Si se utiliza una URL creada con fines malintencionados, es posible hacer que Github Desktop malinterprete la solicitud de credenciales que proviene de Git, de modo que env\u00ede las credenciales para un host diferente al host con el que Git se est\u00e1 comunicando actualmente, lo que permite la exfiltraci\u00f3n secreta. El nombre de usuario y el token OAuth de GitHub, o las credenciales de otros hosts remotos de Git almacenados en GitHub Desktop, podr\u00edan transmitirse incorrectamente a un host no relacionado. Los usuarios deben actualizar a GitHub Desktop 3.4.12 o una versi\u00f3n posterior, que corrige esta vulnerabilidad. Los usuarios que sospechen que pueden verse afectados deben revocar las credenciales pertinentes.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"references\":[{\"url\":\"https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://git-scm.com/docs/git-credential\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/desktop/desktop/security/advisories/GHSA-36mm-rh9q-cpqq\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-23040\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-15T20:16:29.404662Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-15T20:15:44.695Z\"}}], \"cna\": {\"title\": \"Maliciously crafted remote URLs could lead to credential leak in GitHub Desktop\", \"source\": {\"advisory\": \"GHSA-36mm-rh9q-cpqq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"desktop\", \"product\": \"desktop\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.4.12\"}]}], \"references\": [{\"url\": \"https://github.com/desktop/desktop/security/advisories/GHSA-36mm-rh9q-cpqq\", \"name\": \"https://github.com/desktop/desktop/security/advisories/GHSA-36mm-rh9q-cpqq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps\", \"name\": \"https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://git-scm.com/docs/git-credential\", \"name\": \"https://git-scm.com/docs/git-credential\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user\u0027s credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it\u0027s possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522: Insufficiently Protected Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-15T17:25:00.945Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-23040\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-15T20:16:39.997Z\", \"dateReserved\": \"2025-01-10T15:11:08.883Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-15T17:25:00.945Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.