CVE-2025-66413

Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2).

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.2	Release Notes
https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gitforwindows:git:*:*:*:*:*:*:*:*

History

21 Apr 2026, 14:08

Type	Values Removed	Values Added
References	~~() https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.2 -~~	() https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.2 - Release Notes
References	~~() https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x -~~	() https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x - Exploit, Vendor Advisory
First Time		Gitforwindows Gitforwindows git
CPE		cpe:2.3:a:gitforwindows:git::::::::
CWE		CWE-307

11 Mar 2026, 13:52

Type	Values Removed	Values Added
Summary		(es) Git para Windows es el puerto de Windows de Git. Antes de 2.53.0(2), es posible obtener el hash NTLM de un usuario engañándolos para que clonen de un servidor malicioso. Dado que el hashing NTLM es débil, es posible para el atacante forzar por fuerza bruta el nombre de cuenta y la contraseña del usuario. Esta vulnerabilidad está corregida en 2.53.0(2).

10 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 21:16

Updated : 2026-04-21 14:08

NVD link : CVE-2025-66413

Mitre link : CVE-2025-66413

CVE.ORG link : CVE-2025-66413

JSON object : View

Products Affected

gitforwindows

git

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2025-66413", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-10T21:16:40.680", "references": [{"url": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2)."}, {"lang": "es", "value": "Git para Windows es el puerto de Windows de Git. Antes de 2.53.0(2), es posible obtener el hash NTLM de un usuario enga\u00f1\u00e1ndolos para que clonen de un servidor malicioso. Dado que el hashing NTLM es d\u00e9bil, es posible para el atacante forzar por fuerza bruta el nombre de cuenta y la contrase\u00f1a del usuario. Esta vulnerabilidad est\u00e1 corregida en 2.53.0(2)."}], "lastModified": "2026-04-21T14:08:46.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitforwindows:git:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78AC4040-01B2-45BF-B32D-E02FFE3BA565", "versionEndIncluding": "2.53.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}