CVE-2025-66413

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66413

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66413.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66413

Aliases

GHSA-hv9c-4jm9-jh3x

Downstream

OESA-2026-1660

Published

2026-03-10T20:34:32.769Z

Modified

2026-04-10T05:34:19.389200Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Git for Windows leaks NTLM hash when cloning from an attacker-controlled server

Details

Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2).

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66413.json"
}

References

Affected packages

Git / github.com/git-for-windows/git

Affected ranges

Type: GIT
Repo: https://github.com/git-for-windows/git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e9edee0b34751bf4d7d1feda0e2535bff64d4e77

Affected versions

v0.*

v0.99

v0.99.1

v0.99.2

v0.99.3

v0.99.4

v0.99.5

v0.99.6

v0.99.7

v0.99.8

v0.99.8a

v0.99.8b

v0.99.8c

v0.99.8d

v0.99.8e

v0.99.8f

v0.99.8g

v0.99.9a

v0.99.9b

v0.99.9c

v0.99.9d

v0.99.9e

v0.99.9f

v0.99.9g

v0.99.9h

v0.99.9i

v0.99.9j

v0.99.9k

v0.99.9l

v0.99.9m

v0.99.9n

v1.*

v1.0.0

v1.0rc1

v1.0rc2

v1.0rc3

v1.0rc4

v1.0rc5

v1.0rc6

v1.1.0

v1.2.0

v1.3.0-rc1

v1.4.1

v1.4.1-rc1

v1.4.1-rc2

v1.4.2

v1.4.2-rc1

v1.4.2-rc2

v1.4.2-rc3

v1.4.2-rc4

v1.4.3

v1.4.3-rc1

v1.4.3-rc2

v1.4.3-rc3

v1.4.4

v1.4.4-rc1

v1.4.4-rc2

v1.4.4.1

v1.5.0

v1.5.0-rc0

v1.5.0-rc1

v1.5.0-rc2

v1.5.0-rc3

v1.5.0-rc4

v1.5.1

v1.5.1-rc1

v1.5.1-rc2

v1.5.1-rc3

v1.5.2

v1.5.2-rc0

v1.5.2-rc1

v1.5.2-rc2

v1.5.2-rc3

v1.5.3

v1.5.3-rc0

v1.5.3-rc1

v1.5.3-rc2

v1.5.3-rc3

v1.5.3-rc4

v1.5.3-rc5

v1.5.3-rc6

v1.5.3-rc7

v1.5.3.1

v1.5.4

v1.5.4-rc0

v1.5.4-rc1

v1.5.4-rc2

v1.5.4-rc3

v1.5.4-rc4

v1.5.4-rc5

v1.5.5

v1.5.5-rc0

v1.5.5-rc1

v1.5.5-rc2

v1.5.5-rc3

v1.5.6

v1.5.6-rc0

v1.5.6-rc1

v1.5.6-rc2

v1.5.6-rc3

v1.6.0

v1.6.0-rc0

v1.6.0-rc1

v1.6.0-rc2

v1.6.0-rc3

v1.6.1

v1.6.1-rc1

v1.6.1-rc2

v1.6.1-rc3

v1.6.1-rc4

v1.6.2

v1.6.2-rc0

v1.6.2-rc1

v1.6.2-rc2

v1.6.3

v1.6.3-rc0

v1.6.3-rc1

v1.6.3-rc2

v1.6.3-rc3

v1.6.3-rc4

v1.6.4

v1.6.4-rc0

v1.6.4-rc1

v1.6.4-rc2

v1.6.4-rc3

v1.6.5

v1.6.5-rc0

v1.6.5-rc1

v1.6.5-rc2

v1.6.5-rc3

v1.6.6

v1.6.6-rc0

v1.6.6-rc1

v1.6.6-rc2

v1.6.6-rc3

v1.6.6-rc4

v1.7.0

v1.7.0-rc0

v1.7.0-rc1

v1.7.0-rc2

v1.7.1

v1.7.1-rc0

v1.7.1-rc1

v1.7.1-rc2

v1.7.10

v1.7.10-rc0

v1.7.10-rc1

v1.7.10-rc2

v1.7.10-rc3

v1.7.10-rc4

v1.7.11

v1.7.11-rc0

v1.7.11-rc1

v1.7.11-rc2

v1.7.11-rc3

v1.7.12

v1.7.12-rc0

v1.7.12-rc1

v1.7.12-rc2

v1.7.12-rc3

v1.7.2

v1.7.2-rc0

v1.7.2-rc1

v1.7.2-rc2

v1.7.2-rc3

v1.7.3

v1.7.3-rc0

v1.7.3-rc1

v1.7.3-rc2

v1.7.3.1

v1.7.4

v1.7.4-rc0

v1.7.4-rc1

v1.7.4-rc2

v1.7.4-rc3

v1.7.5

v1.7.5-rc0

v1.7.5-rc1

v1.7.5-rc2

v1.7.5-rc3

v1.7.6

v1.7.6-rc0

v1.7.6-rc1

v1.7.6-rc2

v1.7.6-rc3

v1.7.7

v1.7.7-rc0

v1.7.7-rc1

v1.7.7-rc2

v1.7.7-rc3

v1.7.8

v1.7.8-rc0

v1.7.8-rc1

v1.7.8-rc2

v1.7.8-rc3

v1.7.8-rc4

v1.7.9

v1.7.9-rc0

v1.7.9-rc1

v1.7.9-rc2

v1.8.0

v1.8.0-rc0

v1.8.0-rc1

v1.8.0-rc2

v1.8.0-rc3

v1.8.1

v1.8.1-rc0

v1.8.1-rc1

v1.8.1-rc2

v1.8.1-rc3

v1.8.2

v1.8.2-rc0

v1.8.2-rc1

v1.8.2-rc2

v1.8.2-rc3

v1.8.3

v1.8.3-rc0

v1.8.3-rc1

v1.8.3-rc2

v1.8.3-rc3

v1.8.4

v1.8.4-rc0

v1.8.4-rc1

v1.8.4-rc2

v1.8.4-rc3

v1.8.4-rc4

v1.8.5

v1.8.5-rc0

v1.8.5-rc1

v1.8.5-rc2

v1.8.5-rc3

v1.9-rc0

v1.9-rc1

v1.9-rc2

v1.9.0

v1.9.0-rc3

v2.*

v2.0.0

v2.0.0-rc0

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0-rc4

v2.1.0

v2.1.0-rc0

v2.1.0-rc1

v2.1.0-rc2

v2.10.0

v2.10.0-rc0

v2.10.0-rc1

v2.10.0-rc2

v2.11.0

v2.11.0-rc0

v2.11.0-rc1

v2.11.0-rc2

v2.11.0-rc3

v2.12.0

v2.12.0-rc0

v2.12.0-rc1

v2.12.0-rc2

v2.13.0

v2.13.0-rc0

v2.13.0-rc1

v2.13.0-rc2

v2.14.0

v2.14.0-rc0

v2.14.0-rc1

v2.15.0

v2.15.0-rc0

v2.15.0-rc1

v2.15.0-rc2

v2.16.0

v2.16.0-rc0

v2.16.0-rc1

v2.16.0-rc2

v2.17.0

v2.17.0-rc0

v2.17.0-rc1

v2.17.0-rc2

v2.18.0

v2.18.0-rc0

v2.18.0-rc1

v2.18.0-rc2

v2.19.0

v2.19.0-rc0

v2.19.0-rc1

v2.19.0-rc2

v2.2.0

v2.2.0-rc0

v2.2.0-rc1

v2.2.0-rc2

v2.2.0-rc3

v2.21.0

v2.22.0-rc0

v2.27.0-rc1

v2.3.0

v2.3.0-rc0

v2.3.0-rc1

v2.3.0-rc2

v2.30.0-rc2

v2.4.0

v2.4.0-rc0

v2.4.0-rc1

v2.4.0-rc2

v2.4.0-rc3

v2.41.0-rc0

v2.5.0

v2.5.0-rc0

v2.5.0-rc1

v2.5.0-rc2

v2.5.0-rc3

v2.53.0.windows.1

v2.6.0

v2.6.0-rc0

v2.6.0-rc1

v2.6.0-rc2

v2.6.0-rc3

v2.7.0

v2.7.0-rc0

v2.7.0-rc1

v2.7.0-rc2

v2.7.0-rc3

v2.8.0

v2.8.0-rc0

v2.8.0-rc1

v2.8.0-rc2

v2.8.0-rc3

v2.8.0-rc4

v2.9.0

v2.9.0-rc0

v2.9.0-rc1

v2.9.0-rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66413.json"