Clone2Leak Attacks Exploit Git Flaws to Steal Credentials

A new set of Git vulnerabilities, collectively known as “Clone2Leak,” has come to light, exposing users to credential theft. These flaws highlight how improper parsing of authentication requests in Git and its credential helpers can be exploited to leak sensitive information such as passwords and access tokens. Git, a widely used version control system, relies on credential helpers to store and retrieve authentication credentials for seamless interactions with remote repositories. However, this convenience comes with risks, as attackers can exploit these tools to intercept and steal credentials when users interact with malicious repositories.

The affected tools include GitHub Desktop, Git LFS (Large File Storage), GitHub CLI (Command Line Interface), GitHub Codespaces, and the Git Credential Manager. Security updates have been released for all affected software, and users are strongly advised to update to the latest versions to protect their accounts.

How Clone2Leak Attacks Work

The Clone2Leak attacks exploit how Git handles authentication requests through credential helpers, enabling attackers to leak stored credentials. Credential helpers simplify the process of authenticating Git operations by securely storing credentials, but their misuse can result in sensitive information being sent to malicious servers.

There are three primary ways the Clone2Leak attacks can manifest:

Carriage Return Smuggling (CVE-2025–23040 and CVE-2024–50338) In this attack, GitHub Desktop and Git Credential Manager misinterpret carriage return (\r) characters in URLs. By crafting a submodule URL with %0D, attackers can trick the credential helper into sending stored GitHub credentials to an attacker-controlled server rather than the legitimate host.

Newline Injection (CVE-2024–53263) Git LFS improperly allows newline (\n) characters in .lfsconfig files, bypassing security mechanisms. Attackers can exploit this flaw to alter credential requests and redirect GitHub credentials to a malicious server instead of the intended one.

Logic Flaws in Credential Retrieval (CVE-2024–53858) GitHub CLI and GitHub Codespaces were found to have overly permissive credential helpers, which sent authentication tokens to unintended hosts. Attackers could exploit this flaw to steal access tokens by luring a user into cloning a malicious repository within Codespaces.

Mitigating the Risks

• All of the vulnerabilities associated with Clone2Leak have been patched. Users are urged to update their tools to the following safe versions:
• GitHub Desktop: Version 3.4.12 or newer
• Git Credential Manager: Version 2.6.1 or newer
• Git LFS: Version 3.6.1 or later
• GitHub CLI: Version 2.63.0 or later
• Additionally, enabling Git’s credential.protectProtocol option provides an extra layer of defense against credential smuggling attacks.

Best Practices for Git Users

• To further minimize the risk of credential leaks, users should take the following steps:
• Regularly Update Tools Ensure all Git-related tools are kept up to date. Software vendors frequently release patches to address newly discovered vulnerabilities, and keeping your tools current is essential for security.
• Audit Credential Configurations Review and verify the configurations of credential helpers to ensure they are pointing to the correct repositories and not inadvertently exposing credentials to unintended hosts.
• Exercise Caution with Repositories Avoid cloning or interacting with repositories from untrusted or suspicious sources. Attackers may set up malicious repositories specifically to exploit these vulnerabilities.
• Enable Additional Protections Use advanced security features, such as enabling Git’s credential.protectProtocol, to mitigate potential threats.

Implications of the Vulnerabilities

Although no reports of active exploitation in the wild have been noted, the public disclosure of these vulnerabilities elevates the risk of attacks. Threat actors may quickly adopt these techniques to target unsuspecting users who have not yet updated their software or reviewed their configurations.

The Clone2Leak vulnerabilities serve as a stark reminder of the importance of secure coding practices and timely software updates. Developers and organizations should remain vigilant, adopt secure development workflows, and routinely evaluate their security posture to protect against evolving threats.

By addressing these vulnerabilities and implementing the recommended mitigations, users can significantly reduce the risk of credential theft and safeguard their sensitive information.