#VU112644 Untrusted search path in Git - CVE-2025-46334
Vulnerability identifier: #VU112644
Vulnerability risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-426
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Git
Client/Desktop applications /
Software for system administration
Vendor: Git
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of an untrusted search path in Git GUI on Windows. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu.
Note, the vulnerability affects Windows installations only.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Git: 2.43.0, 2.43.1, 2.43.2, 2.43.3, 2.43.4, 2.43.5, 2.43.6, 2.44.0, 2.44.1, 2.44.2, 2.44.3, 2.45.0, 2.45.1, 2.45.2, 2.45.3, 2.46.0, 2.46.1, 2.46.2, 2.46.3, 2.47.0, 2.47.1, 2.47.2, 2.48.0, 2.48.1, 2.49.0, 2.50.0
External links
https://www.openwall.com/lists/oss-security/2025/07/08/4
https://lore.kernel.org/git/xmqq5xg2wrd1.fsf@gitster.g/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
