{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-53263", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-19T20:08:14.481Z", "datePublished": "2025-01-14T19:33:21.876Z", "dateUpdated": "2026-02-26T19:09:07.898Z"}, "containers": {"cna": {"title": "Git LFS permits exfiltration of credentials via crafted HTTP URLs", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7"}, {"name": "https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90", "tags": ["x_refsource_MISC"], "url": "https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90"}, {"name": "https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1"}], "affected": [{"vendor": "git-lfs", "product": "git-lfs", "versions": [{"version": ">= 0.1.0, < 3.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-14T19:33:21.876Z"}, "descriptions": [{"lang": "en", "value": "Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time."}], "source": {"advisory": "GHSA-q6r2-x2cc-vrp7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53263", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-28T04:55:25.805317Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:09:07.898Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-23T18:03:25.138Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-23T18:03:25.138Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53263", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-28T04:55:25.805317Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-15T14:55:44.242Z"}}], "cna": {"title": "Git LFS permits exfiltration of credentials via crafted HTTP URLs", "source": {"advisory": "GHSA-q6r2-x2cc-vrp7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "git-lfs", "product": "git-lfs", "versions": [{"status": "affected", "version": ">= 0.1.0, < 3.6.1"}]}], "references": [{"url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7", "name": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90", "name": "https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1", "name": "https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-14T19:33:21.876Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53263", "state": "PUBLISHED", "dateUpdated": "2026-02-26T19:09:07.898Z", "dateReserved": "2024-11-19T20:08:14.481Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-14T19:33:21.876Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time."}, {"lang": "es", "value": "Git LFS es una extensi\u00f3n de Git para controlar las versiones de archivos grandes. Cuando Git LFS solicita credenciales de Git para un host remoto, pasa partes de la URL del host al comando `git-credential(1)` sin verificar si hay caracteres de control de fin de l\u00ednea incrustados y luego env\u00eda las credenciales que recibe del asistente de credenciales de Git al host remoto. Al insertar caracteres de control codificados en la URL, como caracteres de avance de l\u00ednea (LF) o retorno de carro (CR), un atacante puede recuperar las credenciales de Git de un usuario. Este problema existe en todas las versiones anteriores y se solucion\u00f3 en la v3.6.1. Todos los usuarios deben actualizar a la v3.6.1. No se conocen Workarounds en este momento."}], "id": "CVE-2024-53263", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-14T20:15:28.610", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90"}, {"source": "security-advisories@github.com", "url": "https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00022.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:0845", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "git-lfs-0:3.4.1-4.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-01-30T00:00:00Z"}, {"advisory": "RHSA-2025:0825", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "git-lfs-0:2.13.3-3.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-01-30T00:00:00Z"}, {"advisory": "RHSA-2025:0825", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "git-lfs-0:2.13.3-3.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-01-30T00:00:00Z"}, {"advisory": "RHSA-2025:0825", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "git-lfs-0:2.13.3-3.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-01-30T00:00:00Z"}, {"advisory": "RHSA-2025:0765", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "git-lfs-0:2.13.3-3.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0765", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "git-lfs-0:2.13.3-3.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0765", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "git-lfs-0:2.13.3-3.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0762", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "git-lfs-0:3.2.0-2.el8_8.3", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0673", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "git-lfs-0:3.4.1-4.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-01-23T00:00:00Z"}, {"advisory": "RHSA-2025:0758", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "git-lfs-0:2.13.3-5.el9_0.3", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0757", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "git-lfs-0:3.2.0-2.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0759", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "git-lfs-0:3.4.1-4.el9_4.1", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-01-28T00:00:00Z"}], "bugzilla": {"description": "git-lfs: Git LFS permits exfiltration of credentials via crafted HTTP URLs", "id": "2338002", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2338002"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-74", "details": ["Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.", "A flaw was found in the Git LFS git extension. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-53263", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2025-01-14T19:33:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53263\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53263\nhttps://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90\nhttps://github.com/git-lfs/git-lfs/releases/tag/v3.6.1\nhttps://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7"], "statement": "This vulnerability in Git LFS is important rather than moderate because it directly impacts the security of credential handling, a core aspect of repository access control. By allowing an attacker to inject line-ending control characters, such as LF or CR, into URLs passed to the `git-credential` command, it bypasses a fundamental trust boundary between Git and the credential helper. This issue could enable attackers to intercept or exfiltrate user credentials, granting unauthorized access to repositories, including private and sensitive data.", "threat_severity": "Important"}

{}