---
Git Credential Manager (GCM) is a widely used tool for securely handling your Git credentials across Windows, macOS, and Linux. But in 2024, a security vulnerability — now identified as CVE-2024-50338 — was discovered that exposes users to potential credential theft due to a subtle difference in how Git and .NET handle line endings.
In this post, we’ll break down how this vulnerability works, demonstrate the problem with code snippets, explore the risks (especially with submodules), and suggest direct mitigation steps. All in plain, simple language so everyone can understand how serious, but also easy to mitigate this issue is.
Understanding the Git Credential Protocol
Git uses a simple text protocol over standard input/output for credential helpers like GCM. Data is sent as a series of key-value pairs (e.g., key=value), one per line. The official Git documentation is clear: neither keys nor values should include the NUL character (\) or newline (\n) characters.
Example Git credential exchange
protocol=https
host=github.com
username=USERNAME
password=PASSWORD
The Line Ending Mismatch
Here’s where the trouble starts. GCM was implemented in .NET, which has its own opinion about where lines end.
Git: Only \n or \r\n count as newlines
- .NET (StreamReader.ReadLineAsync): Treats LF (\n), CRLF (\r\n), and single CR (\r) as valid line endings
This means GCM might split a credential line earlier than Git expects if a standalone \r is present. An attacker can craft a clever URL with a \r in it, causing GCM to misinterpret the line and leak values that Git would not have allowed.
Why Is This Risky?
An attacker can host a malicious repository with a remote URL containing a sneaky single \r character. When a user tries to clone or interact with this repository, GCM incorrectly processes the URL and may send credentials for an entirely different remote, leaking sensitive username and password data.
It’s even more dangerous when
- The repository uses submodules, and you use git clone --recursive. Submodule URLs are fetched automatically before you have a chance to inspect them!
Malicious .gitmodules file with a tricky URL
[submodule "evil"]
path = evil
url = https://victim.com\rusername=attacker&password=evil
When GCM parses this, the single \r will cause it to treat https://victim.com as one line and username=attacker&password=evil as the next, which will be interpreted as actual credential input!
Suppose GCM reads from standard input using .NET’s ReadLineAsync
using (StreamReader sr = new StreamReader(Console.OpenStandardInput())) {
string line;
while ((line = await sr.ReadLineAsync()) != null) {
// Line could be split at CR (\r)
var parts = line.Split('=');
//... process each key=value as a credential item
}
}
A line from the attacker’s malicious submodule URL containing an unexpected \r would make .NET end a line, even though Git would keep reading.
This lets an attacker
- Trick a user’s Git Credential Manager into leaking credentials for one domain when authenticating to another
Perform “credential stuffing” attacks if the submodule URLs are not inspected
Read more in the official GitHub advisory.
Mitigation & Recommendations
Patched Version:
GCM 2.6.1 includes a fix.
If you can update:
Upgrade to GCM 2.6.1 or newer immediately!
- GCM Releases
If you can’t update yet:
Avoid interacting with untrusted remote repositories
- Do not use git clone --recursive on unknown sources, as submodule URLs aren’t shown before being fetched
- Consider running git clone without --recursive, then manually inspecting .gitmodules for suspicious URLs before initializing submodules
Conclusion
CVE-2024-50338 capitalizes on a small but critical difference between how Git and .NET/GCM treat line endings when reading credentials. This can be weaponized by attackers to steal your Git credentials, especially when cloning repos with untrusted submodules.
Always upgrade to the latest GCM, and be careful with any repository that isn’t from a trusted source—especially before cloning with submodules enabled.
References
- Official Security Advisory
- Git Credential Protocol Documentation
- GCM Release Notes
Timeline
Published on: 01/14/2025 19:15:31 UTC