Clone2Leak, a newly identified set of vulnerabilities in Git and its ecosystem, poses significant risks to developers by exploiting flaws in credential management protocols. Discovered by security researcher RyotaK from GMO Flatt Security, these vulnerabilities could allow attackers to leak stored credentials and access sensitive repositories. While patches have been released to address the issues, the revelations highlight the importance of vigilance in securing development tools.
Clone2Leak exploits Git’s credential flaws
The Clone2Leak attack relies on improper parsing of authentication requests by Git and its associated tools, such as GitHub Desktop, Git LFS, GitHub CLI, and Git Credential Manager. Credential helpers, designed to simplify authentication, became the attack vector due to their mishandling of specially crafted URLs. Each vulnerability exposes a unique avenue for attackers to exploit.
“When using a credential helper, Git uses a line-based protocol to pass information between itself and the credential helper. A specially-crafted URL containing a carriage return can be used to inject unintended values into the protocol stream, causing the helper to retrieve the password for one server while sending it to another,” GitHub states.
The first category of attack, known as carriage return smuggling, was tracked as CVE-2025-23040 and CVE-2024-50338. These vulnerabilities impacted GitHub Desktop and Git Credential Manager, where a `%0D` character embedded in a malicious URL could trick the tools into sending credentials to an unauthorized server. According to RyotaK, this flaw exploited discrepancies in how Git and its helpers processed carriage return characters in authentication requests.
Another attack method involved newline injection (CVE-2024-53263), which exploited Git LFS’s leniency in handling newline (`\n`) characters within `.lfsconfig` files. Attackers could manipulate credential requests to redirect Git’s responses to malicious servers. Finally, logic flaws in credential retrieval (CVE-2024-53858) targeted GitHub CLI and Codespaces. These tools had overly permissive credential helpers, enabling attackers to redirect authentication tokens by luring users into cloning malicious repositories.
Mitigating the risks of Clone2Leak
All identified vulnerabilities have now been addressed through patches. Users are urged to update their tools to the following safe versions: GitHub Desktop 3.4.12 or newer, Git Credential Manager 2.6.1 or newer, Git LFS 3.6.1 or later, and GitHub CLI 2.63.0 or later. Additionally, Git version 2.48.1 resolves a related issue (CVE-2024-52006), which prevents URLs with carriage return characters from being processed.
To further mitigate risks, developers are advised to enable Git’s `credential.protectProtocol` setting. This configuration adds an extra layer of defense against credential smuggling attacks. Other recommendations include auditing credential configurations and exercising caution when cloning repositories, particularly those requiring credentials.
“Using a maliciously crafted URL, it’s possible to cause the credential request coming from Git to be misinterpreted by GitHub Desktop, such that it will send credentials for a different host than the one Git is currently communicating with,” explained GitHub in an advisory addressing CVE-2025-23040. The statement underscores the potential severity of the issue, even as fixes have been implemented.
9 security flaws fixed in iOS 18.3: Should you trust Apple Intelligence now?
Systemic issues in credential management
Clone2Leak is not an isolated incident but a reflection of systemic weaknesses in how Git and its tools handle authentication protocols. The vulnerabilities exploited Git’s text-based credential protocol, which relies on newline-separated key-value pairs for communication. While protections exist to prevent property injection, discrepancies in parsing behaviors created exploitable gaps.
For instance, GitHub Desktop and Git Credential Manager misinterpreted carriage return characters, while Git LFS failed to validate embedded newline characters in configuration files. These oversights allowed attackers to craft malicious URLs capable of exfiltrating credentials.
RyotaK’s findings also reveal how environmental variables in GitHub Codespaces contributed to the flaws. By setting `CODESPACES` to “true,” attackers could ensure that cloned repositories automatically leaked access tokens to unauthorized hosts. These insights highlight the need for rigorous validation of parameters in credential protocols.
“When Git needs to fill in credentials interactively without the use of a credential helper, it prints out the hostname and asks the user to fill in the appropriate username/password pair for that host. However, Git prints out the hostname after URL-decoding it,” noted GitHub in its explanation of CVE-2024-50349. The vulnerability, now patched, exemplifies how subtle flaws in design can lead to significant security risks.
