CVE-2025-48064

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-48064
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48064.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-48064
Aliases
  • GHSA-f234-7hj3-vr8j
Published
2025-05-21T17:40:57.527Z
Modified
2026-04-10T05:32:26.972257Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
GitHub Desktop vulnerable to maliciously crafted file renames leading to information disclosure
Details

GitHub Desktop is an open-source, Electron-based GitHub app designed for git development. Prior to version 3.4.20-beta3, an attacker convincing a user to view a file in a commit of their making in the history view can cause information disclosure by means of Git attempting to access a network share. This affects GitHub Desktop users on Windows that view malicious commits in the history view. macOS users are not affected. When viewing a file diff in the history view GitHub Desktop will call git log or git diff with the object id (SHA) of the commit, the name of the file, and the old name of the file if the file has been renamed. As a security precaution Git will attempt to fully resolve the old and new path via realpath, traversing symlinks, to ensure that the resolved paths reside within the repository working directory. This can lead to Git attempting to access a path that resides on a network share (UNC path) and in doing so Windows will attempt to perform NTLM authentication which passes information such as the computer name, the currently signed in (Windows) user name, and an NTLM hash. GitHub Desktop 3.4.20 and later fix this vulnerability. The beta channel includes the fix in 3.4.20-beta3. As a workaround to use until upgrading is possible, only browse commits in the history view that comes from trusted sources.

Database specific 
{
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48064.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/desktop/desktop

Affected ranges

Type
GIT
Repo
https://github.com/desktop/desktop
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c0867f8b1442dfd2f930a252811a65461489e45b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.4.20-beta3"
        }
    ]
}

Affected versions

release-0.*
release-0.0.10
release-0.0.11
release-0.0.12
release-0.0.13
release-0.0.14
release-0.0.15
release-0.0.16
release-0.0.17
release-0.0.21
release-0.0.22
release-0.0.23
release-0.0.24
release-0.0.25
release-0.0.26
release-0.0.27
release-0.0.28
release-0.0.29
release-0.0.3
release-0.0.30
release-0.0.31
release-0.0.32
release-0.0.33
release-0.0.34
release-0.0.35
release-0.0.36
release-0.0.37
release-0.0.38
release-0.0.39
release-0.0.4
release-0.0.5
release-0.0.6
release-0.0.7
release-0.0.8
release-0.0.9
release-0.5.0
release-0.5.1
release-0.5.2
release-0.5.3
release-0.5.4
release-0.5.5
release-0.5.6
release-0.5.7
release-0.5.8
release-0.5.9
release-0.6.0
release-0.6.1
release-0.6.2
release-0.7.0
release-0.7.1
release-0.7.1-beta0
release-0.7.1-beta4
release-0.7.2
release-0.7.2-beta0
release-0.7.3-beta0
release-0.7.3-beta1
release-0.7.3-beta2
release-0.7.3-beta3
release-0.7.3-beta4
release-0.7.3-beta5
release-0.8.0
release-0.8.1
release-0.8.1-beta0
release-0.8.1-beta1
release-0.8.1-beta2
release-0.8.1-beta3
release-0.8.1-beta4
release-0.8.2
release-0.9.1
release-1.*
release-1.0.0
release-1.0.0-beta0
release-1.0.0-beta1
release-1.0.0-beta3
release-1.0.1
release-1.0.1-beta0
release-1.0.10
release-1.0.10-beta0
release-1.0.10-beta2
release-1.0.10-beta3
release-1.0.11
release-1.0.11-beta0
release-1.0.12
release-1.0.12-beta0
release-1.0.12-beta1
release-1.0.13
release-1.0.13-beta1
release-1.0.14-beta1
release-1.0.14-beta2
release-1.0.14-beta5
release-1.0.2
release-1.0.2-beta0
release-1.0.2-beta1
release-1.0.3
release-1.0.4
release-1.0.4-beta0
release-1.0.4-beta1
release-1.0.5
release-1.0.5-beta0
release-1.0.5-beta1
release-1.0.6
release-1.0.7
release-1.0.7-beta0
release-1.0.8
release-1.0.8-beta0
release-1.0.9
release-1.0.9-beta0
release-1.1.0
release-1.1.1
release-1.1.1-beta3
release-1.1.1-beta4
release-1.1.2-beta1
release-1.1.2-beta2
release-1.1.2-beta3
release-1.1.2-beta5
release-1.1.2-beta6
release-1.1.2-beta7
release-1.2.0
release-1.2.1
release-1.2.1-beta1
release-1.2.4
release-1.2.4-beta1
release-1.2.4-beta2
release-1.2.4-beta3
release-1.2.4-beta4
release-1.2.4-beta5
release-1.3.0
release-1.3.0-beta1
release-1.3.0-beta6
release-1.3.0-beta7
release-1.3.1-beta0
release-1.3.3
release-1.3.5-beta1
release-1.4.0
release-1.4.0-beta1
release-1.4.1
release-1.5.0-beta1
release-3.*
release-3.4.20-beta2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48064.json"