| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 31 Jul 2025 11:24:12 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"14baff75e97ee2c62298b15a29dfcf94"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=%2BRKUYZYaW65vo5M5nTzwHHb2tKdIN29xqz6TEgRaCq24wlwyyFO9QGV9jWThoX88cA2JC%2FhDQesis4C5mKAFBDjy76r%2F3whZI3oguvwn6yf5T2HjyLyiIx8vEtag%2BgFb7ScAykAd8fILmYxReLy3FPLdW2eBscFApQo%2B7uOfEXK8iBjOakbBGqDmBVzuXCUxJ%2Bw8LM2VXYVTSWZm2%2FIl3ycqc9M%2BWfg49y0SIME3IGQGCIh4m7ch%2F8Y0pd%2BQ4Hxa7RoJ6V6fTsKzcyKdypyNmQ%3D%3D--E6TX5nAE3mH9ohce--JlfdSgkaBdqD2xVzdiQB9A%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.739114116.1753961052; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 11:24:12 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 11:24:12 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 8382:144580:914066:AD9AE1:688B525C
malicious URLs may cause Git to present stored credentials to the wrong server · Advisory · git/git · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 26.5k
malicious URLs may cause Git to present stored credentials to the wrong server
High
Package
Git
Affected versions
<= 2.17.3, 2.18.2, 2.19.3, 2.20.2, 2.21.1, 2.22.2, 2.23.1, 2.24.1, 2.25.2, 2.26.0
Patched versions
2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1
Description
You can’t perform that action at this time.
Impact
Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g.,
good.example.com) for an HTTP request being made to another server (e.g.,evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing.The vulnerability can be triggered by feeding a malicious URL to
git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git.Patches
The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for
git fsck, but that commit is sufficient to protect clients against the vulnerability).Workarounds
The most complete workaround is to disable credential helpers altogether:
An alternative is to avoid malicious URLs:
examine the hostname and username portion of URLs fed to
git clonefor the presence of encoded newlines (%0a) or evidence of credential-protocol injections (e.g.,host=github.com)avoid using submodules with untrusted repositories (don't use
clone --recurse-submodules; usegit submodule updateonly after examining the URLs found in.gitmodules)avoid tools which may run
git cloneon untrusted URLs under the hoodCredits
This vulnerability was found by Felix Wilhelm of Google Project Zero and fixed by Jeff King of GitHub.
References