What is the severity of CVE-2025-23040?

CVE-2025-23040 has been classified as a high severity vulnerability due to the potential for credential exposure.

How do I fix CVE-2025-23040?

To mitigate CVE-2025-23040, ensure you update GitHub Desktop to version 3.4.12 or later.

What type of vulnerability is CVE-2025-23040?

CVE-2025-23040 is a security vulnerability that allows an attacker to access user credentials via malicious repository URLs.

Which versions of GitHub Desktop are affected by CVE-2025-23040?

CVE-2025-23040 affects all versions of GitHub Desktop prior to version 3.4.12.

How can attackers exploit CVE-2025-23040?

Attackers can exploit CVE-2025-23040 by convincing users to clone a repository with a maliciously crafted remote URL.

Vulnerability/
CVE-2025-23040

medium

6.6

CWE

522

EPSS

0.045%

15/1/2025

CVE-2025-23040: Maliciously crafted remote URLs could lead to credential leak in GitHub Desktop

First published: Wed Jan 15 2025(Updated: )

GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
GitHub Desktop	<3.4.12

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-23040?
CVE-2025-23040 has been classified as a high severity vulnerability due to the potential for credential exposure.
How do I fix CVE-2025-23040?
To mitigate CVE-2025-23040, ensure you update GitHub Desktop to version 3.4.12 or later.
What type of vulnerability is CVE-2025-23040?
CVE-2025-23040 is a security vulnerability that allows an attacker to access user credentials via malicious repository URLs.
Which versions of GitHub Desktop are affected by CVE-2025-23040?
CVE-2025-23040 affects all versions of GitHub Desktop prior to version 3.4.12.
How can attackers exploit CVE-2025-23040?
Attackers can exploit CVE-2025-23040 by convincing users to clone a repository with a maliciously crafted remote URL.

agent/weakness
agent/title
agent/description
agent/references
agent/first-publish-date
agent/type
collector/nvd-api
source/NVD
agent/severity
agent/author
agent/event
agent/source
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/softwarecombine
collector/epss-latest
source/FIRST
agent/epss
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/github
canonical/github desktop