CVE-2025-46835

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-46835

8.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

G

it GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

References
Link Resource
https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da
https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg
http://www.openwall.com/lists/oss-security/2025/07/08/4
https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html
Configurations

No configuration.

History

04 Nov 2025, 22:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/07/08/4 -

03 Nov 2025, 18:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html -

15 Jul 2025, 13:24

Type Values Removed Values Added
Summary
  • (es) Git GUI permite usar las herramientas de gestión de control de código fuente de Git mediante una interfaz gráfica de usuario. Cuando un usuario clona un repositorio no confiable y se le induce a editar un archivo ubicado en un directorio malicioso del repositorio, la interfaz gráfica de Git puede crear y sobrescribir archivos para los que el usuario tiene permiso de escritura. Esta vulnerabilidad está corregida en las versiones 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1 y 2.50.1.

10 Jul 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-10 15:15

Updated : 2025-11-04 22:16

NVD link : CVE-2025-46835

Mitre link : CVE-2025-46835

CVE.ORG link : CVE-2025-46835

JSON object : View

Products Affected

No product.

CWE
CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')