GitHub is not as secure as it seems to be. The world of tech is massively unstable, with leakers and hackers often giving unauthorized access to the user data of an organization and using it in a twisted way. While these attacks are common, they aren’t desired. Recent data shows even GitHub is not free from these issues. User credentials can easily be leaked from any Git-related project if one properly exploits the vulnerabilities.
GitHub and Git are two common words that anyone who works with tech will often hear. If the concept is a bit hazy, don’t worry. Basically, GitHub is an online software development and web-based platform currently owned by Microsoft. It’s kind of a social networking site for programmers to store their codes and even collaborate on them.
On the other hand, Git is the distributed version control system provided by GitHub to track the changes made to the codes and files. With Git, one can track the changes done to code over time, even the slightest ones, and at any time undo them if there are some mistakes.
Launched in 2008, GitHub used to be considered one of the most trusted platforms by organizations for various services and numerous tools. However, the recent revelation says it is not as safe as it looks.
A recent survey has brought to light a number of security vulnerabilities that exist in the system of GitHub and all other Git-related projects. The most alarming part of it is that if hackers exploit these weak points, they can easily get unauthorized access to users’ Git credentials.
This thing never came to light until Japanese GMO Flatt Security engineer RyotaK experimented and revealed it. According to his research, three distinct yet related attacks named Clone2Leak can leak credentials by exploiting how Git and its Credential Helpers process authentication requests. As per his report, GitHub Desktop, Git LFS, GitHub CLI, and the Git Credential Manager are the most vulnerable ones.
Clone2Leak is made of four flaws: CVE-2025-23040, CVE-2024-50338, CVE-2024-53858, and CVE-2024-53263. The first two are called “carriage return smuggling” flaws, where Git Credential Manager wrongly crafts the carriage return URL leading to credential leaks.
The next one, that’s CVE-2024-53858, is “Logic flaws in credential retrieval.” Here, GitHub CLI and GitHub Codespaces get more affected as they can send authentication tokens to outsiders. Hackers can use this opportunity and make a clone of a malicious repository within Codespaces to access these tokens.
The third one is the “Newline injection”, which is the CVE-2024-53263 flaw. In this case, Git LFS is the responsible one. It bypasses Git’s security and allows newline characters in the .lfsconfig files. Attackers can take this opportunity to access GitHub credentials improperly.
These are major concerns for GitHub users. A lot of big organizations use Git to store codes and track their development. If GitHub has security issues, it is sure to bother others. However, don’t worry; things have been fixed. Microsoft took steps to prevent it as soon as things came to light.
Currently, all the flaws and vulnerabilities mentioned above are patched. Therefore, users don’t need to be panicked anymore. It’s just that they must ensure that all the tools are updated. The latest update covers all the above-mentioned flaws.
Additionally, they must ensure credential configurations are audited and become more cautious when cloning repositories. The recommended versions everyone should go for include GitHub Desktop 3.4.12, Git LFS 3.6.1, Git Credential Manager 2.6.1, and gh cli 2.63.0; it is minimum or better to go with later versions.
Apart from these, for extra protection, users can enable Git's ‘credential.protectProtocol.’ It’s a great way of fighting against credential leak attacks.