CVE-2024-50338

CVE-2024-50338 is a high-severity security vulnerability in git-credential-manager (nuget), affecting versions <= 2.6.0. It is fixed in 2.6.1.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials

Description

The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format key=value. Git's documentation restricts the use of the NUL (\0) character and newlines to form part of the keys[^1] or values.

When Git reads from standard input, it considers both LF and CRLF[^2] as newline characters for the credential protocol by virtue of calling strbuf_getline that calls to strbuf_getdelim_strip_crlf. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, \n), and errors if this is the case. This captures both LF and CRLF-type newlines.

Git Credential Manager uses the .NET standard library StreamReader class to read the standard input stream line-by-line and parse the key=value credential protocol format. The implementation of the ReadLineAsync method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not.

This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL such as:

https://\rhost=targethost@badhost

..which will be interpreted by Git as:

protocol=https
host=badhost
username=\rhost=targethost

This will instead be parsed by GCM as if the following has been passed by Git:

protocol=https
host=badhost
username=
host=targethost

This results in the host field being resolved to the targethost value. GCM will then return a credential for targethost to Git, which will then send this credential to the badhost host.

Workarounds

Only interacting with trusted remote repositories, and do not clone with --recursive to allow inspection of any submodule URLs before cloning those submodules.

Fixed versions

This issue is fixed as of version 2.6.1.

[^1]: The = character is also forbidden to form part of the key.
[^2]: Carriage-return character (CR, \r), followed by a line-feed character.
[^3]: Any remote operation such as fetch, ls-remote, etc.

Impact

When a user clones or otherwise interacts[^3] with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the --recursive clone option as the user is not able to inspect the submodule remote URLs beforehand.

CVE-2024-50338 has a CVSS score of 7.4 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.6.1); upgrading removes the vulnerable code path.

Affected versions

git-credential-manager (<= 2.6.0)

Security releases

git-credential-manager → 2.6.1 (nuget)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

https://github.com/git-ecosystem/git-credential-manager/compare/749e287571c78a2b61f926ccce6a707050871ab8...99e2f7f60e7364fe807e7925f361a81f3c47bd1b

Frequently Asked Questions

  1. What is CVE-2024-50338? CVE-2024-50338 is a high-severity security vulnerability in git-credential-manager (nuget), affecting versions <= 2.6.0. It is fixed in 2.6.1.
  2. How severe is CVE-2024-50338? CVE-2024-50338 has a CVSS score of 7.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of git-credential-manager are affected by CVE-2024-50338? git-credential-manager (nuget) versions <= 2.6.0 is affected.
  4. Is there a fix for CVE-2024-50338? Yes. CVE-2024-50338 is fixed in 2.6.1. Upgrade to this version or later.
  5. Is CVE-2024-50338 exploitable, and should I be worried? Whether CVE-2024-50338 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-50338 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-50338? Upgrade git-credential-manager to 2.6.1 or later.

Stop the waste.
Protect your environment with Kodem.