CVE-2025-27613OS Command Injection in Gitk

CWE-78OS Command InjectionCWE-73External Control of File Name or Path11 documents6 sources
Severity
3.6LOWNVD
EPSS
0.0%
top 98.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
GITDebian GITJ6T Gitk+6 more
Timeline
PublishedJul 10

Description

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or n

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages10 packages

CVEListV5j6t/gitk8 versions+7
debiandebian/git< git 1:2.39.5-0+deb12u3 (bookworm)
Debiangit/git< 1:2.30.2-1+deb11u5+3
Ubuntugit/git< 1:2.34.1-1ubuntu1.14+12

🔴Vulnerability Details

4
OSV
CVE-2025-27613: Gitk is a Tcl/Tk based Git history browser2025-07-10
OSV
git regression2025-07-10
OSV
git regression2025-07-09
OSV
git vulnerabilities2025-07-08

📋Vendor Advisories

6
Ubuntu
Git regression2025-07-10
Ubuntu
Git regression2025-07-09
Ubuntu
Git vulnerabilities2025-07-08
Microsoft
GitHub: CVE-2025-27613 Gitk Arguments Vulnerability2025-07-08
Red Hat
gitk: Git file creation flaw2025-07-08