| CARVIEW |
Select Language
HTTP/2 200
date: Sat, 19 Jul 2025 07:21:43 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"bcde5ad5ad62fd9440111a3e363a4a89"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=IArFv0B8BgTDTxyallrUQC4fbdj%2FOQeeUiXubq%2FRGDKkxtT0VBgXk8sMqaL8znvaZa%2B0b2wEiXk9omQzsbxvdmqEray8JuhjuCiOGOszgYIKIh79%2Fhpf4O9OIWOtOiIMthyk2j%2B1GbQ%2FdsfXH7fpo9NHVhLm3P4o3dDestUJptPEO9UJcGU9nol4zSlJwyR%2FDFDcsKmSdei4O7Jsfz%2B4wWo10hxSwacYr%2F5mJgd0aOUEMCBgDTB%2BbR0nuV49%2BSUX9BbQJJwjvjD4lKAR%2Fn%2FMog%3D%3D--GRwvqscZIIsdeW0%2F--nxTs%2BkVhTq%2Ft4ec0Xd3bdg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1884354703.1752909703; Path=/; Domain=github.com; Expires=Sun, 19 Jul 2026 07:21:43 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sun, 19 Jul 2026 07:21:43 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 9454:3DC509:20A3EF:29F249:687B4787
Carriage-return character in remote URL allows malicious repository to leak credentials · Advisory · git-ecosystem/git-credential-manager · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Carriage-return character in remote URL allows malicious repository to leak credentials
High
Description
Severity
High
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CVE ID
CVE-2024-50338
Weaknesses
No CWEs
You can’t perform that action at this time.
Description
The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format
key=value. Git's documentation restricts the use of the NUL (\0) character and newlines to form part of the keys1 or values.When Git reads from standard input, it considers both LF and CRLF2 as newline characters for the credential protocol by virtue of calling
strbuf_getlinethat calls tostrbuf_getdelim_strip_crlf. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF,\n), and errors if this is the case. This captures both LF and CRLF-type newlines.Git Credential Manager uses the .NET standard library
StreamReaderclass to read the standard input stream line-by-line and parse thekey=valuecredential protocol format. The implementation of theReadLineAsyncmethod considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not.This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL such as:
..which will be interpreted by Git as:
This will instead be parsed by GCM as if the following has been passed by Git:
This results in the
hostfield being resolved to thetargethostvalue. GCM will then return a credential fortargethostto Git, which will then send this credential to thebadhosthost.Impact
When a user clones or otherwise interacts3 with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the
--recursiveclone option as the user is not able to inspect the submodule remote URLs beforehand.Patches
749e287...99e2f7f
Workarounds
Only interacting with trusted remote repositories, and do not clone with
--recursiveto allow inspection of any submodule URLs before cloning those submodules.Fixed versions
This issue is fixed as of version 2.6.1.
Footnotes
The
=character is also forbidden to form part of the key. ↩Carriage-return character (CR,
\r), followed by a line-feed character. ↩Any remote operation such as
fetch,ls-remote, etc. ↩