CVE-2025-46334OS Command Injection in Git-gui

CWE-78OS Command Injection4 documents4 sources
Severity
8.6HIGHNVD
EPSS
0.0%
top 99.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
GITJ6T Git-guiDebian GIT+6 more
Timeline
PublishedJul 10

Description

Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages9 packages

CVEListV5j6t/git-gui< 2.43.7+7
Alpinegit/git< 2.43.7-r0+4
debiandebian/git

🔴Vulnerability Details

1
OSV
CVE-2025-46334: Git GUI allows you to use the Git source control management tools via a GUI2025-07-10

📋Vendor Advisories

2
Microsoft
GitHub: CVE-2025-46334 Git Malicious Shell Vulnerability2025-07-08
Debian
CVE-2025-46334: git - Git GUI allows you to use the Git source control management tools via a GUI. A m...2025