Gitk can create and truncate a user's files

Impact

When a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default.

The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not).

Patches

For Git 2.41.0 and later: 7dd272eca153..67a128b91e25 (this includes the fix for CVE-2025-27614)
For Git prior to 2.41.0: 465f03869ae1..026c397d911c (these versions are not affected by CVE-2025-27614)

Workarounds

Ensure that the option Support per-file encoding in Gitk's Preferences is disabled.
Do not use Show origin of this line.
Do not clone repositories from untrusted sources.
Do not use gitk.

References

A similar issue is present in Git GUI.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Gitk can create and truncate a user's files

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits