CVE-2025-46835

Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da
https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg

Configurations

No configuration.

History

15 Jul 2025, 13:24

Type	Values Removed	Values Added
Summary		(es) Git GUI permite usar las herramientas de gestión de control de código fuente de Git mediante una interfaz gráfica de usuario. Cuando un usuario clona un repositorio no confiable y se le induce a editar un archivo ubicado en un directorio malicioso del repositorio, la interfaz gráfica de Git puede crear y sobrescribir archivos para los que el usuario tiene permiso de escritura. Esta vulnerabilidad está corregida en las versiones 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1 y 2.50.1.

10 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-10 15:15

Updated : 2025-07-15 13:24

NVD link : CVE-2025-46835

Mitre link : CVE-2025-46835

CVE.ORG link : CVE-2025-46835

JSON object : View

Products Affected

No product.

CWE

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

8.5 /10