Your one-stop web resource providing safety and security information to manufacturers

A patch is available to mitigate a critical vulnerability affecting all versions of the official Git client and all related software that interacts with Git repositories.

“An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” said GitHub’s Vincent Marti in a blog post.

Router Flaw Found
Re-engaged: Multi GAE Sandbox Bypasses
Vulnerabilities with Google App Engine
Security Patch Boost for Flash Player

Only Windows and OS X Git clients suffer from the issue. and GitHub Enterprise do not have the problem.

Technically, this vulnerability only affects developers who pull from repositories where they don’t know and don’t trust the people allowed to update them. Still, they all should implement the update and be careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.

Cyber Security

There is currently no indication anyone is exploiting the bug.

“Repositories hosted on cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push,” Marti said. “We have also completed an automated scan of all existing content on to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.”

Pin It on Pinterest

Share This