- The security researcher finds related attacks and nicknamed them clone2leak
- This allowed threat actors to disclose skills securities via Git identification assistance
- The fixes are already available, so get up to date now
A certain number of defects have recently been found in the assistance of the identification information of the distributed version control system which enabled malicious actors to exfiltrate connection identification information from different projects. He was responsible for developers and closed responsible.
The Git identification assistance is a functionality that safely manages identification information (user names and passwords, or personal access tokens) required to authenticate with remote standards. It simplifies authentication by chatting or storing identification information so that users do not need to enter it several times for each Git operation.
Recently, a cybersecurity researcher of the Japanese security holder of the Flatt GMO, alias Ryotak, found three distinct but related attacks, and nicknamed them “Clone2leak”. He explained that defects revolve around the inappropriate handling of authentication messages sent to the identification assistant. Consequently, Git could end up sharing identification information stored with a malicious server.
Several defects
GitHub Desktop, Git LFS, GitHub Cli / Codespaces and the Creddential Manager GIT, would have been vulnerable.
Clone2leak includes these three faults: CVE-2025-23040, CVE-2024-50338 and CVE-2024-53263. The first two are described as defects in “return from car transport” affecting GitHub Desktop and Git Credential Manager, while the third is described as “new line injection” in Git LFS. The researcher also discovered a logical flaw in the recovery of identification information, followed under the name of CVE-2024-53858, affecting the code of CITHUB CLI and GITHUB code.
Users are now invited to migrate to safe versions to mitigate the risk of potential leakage of identification information.
All the aforementioned bugs have since been treated and users are now invited to update their tools, to audit identification configurations and to be very cautious during the cloning of standards. That said, the versions they should opt to include GitHub Desktop 3.4.12, Git Credential Manager 2.6.1, Git LFS 3.6.1 and GH CLI 2.63.0.
Users should also allow “Git.protectProtocol identification information,” said it.
Via Bleeping Compompute
