{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-46334", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-22T22:41:54.911Z", "datePublished": "2025-07-10T15:06:12.757Z", "dateUpdated": "2025-11-04T21:10:48.281Z"}, "containers": {"cna": {"title": "Git GUI malicious command injection on Windows", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/j6t/git-gui/security/advisories/GHSA-7px4-9hg2-fvhx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/j6t/git-gui/security/advisories/GHSA-7px4-9hg2-fvhx"}, {"name": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a1ccd2512072cf52835050f4c97a4fba9f0ec8f9", "tags": ["x_refsource_MISC"], "url": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a1ccd2512072cf52835050f4c97a4fba9f0ec8f9"}], "affected": [{"vendor": "j6t", "product": "git-gui", "versions": [{"version": "< 2.43.7", "status": "affected"}, {"version": ">= 2.44.0, < 2.44.4", "status": "affected"}, {"version": ">= 2.45.0, < 2.45.4", "status": "affected"}, {"version": ">= 2.46.0, < 2.46.4", "status": "affected"}, {"version": ">= 2.47.0, < 2.47.3", "status": "affected"}, {"version": ">= 2.48.0, < 2.48.2", "status": "affected"}, {"version": ">= 2.49.0, < 2.49.1", "status": "affected"}, {"version": ">= 2.50.0, < 2.50.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-10T15:06:12.757Z"}, "descriptions": [{"lang": "en", "value": "Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1."}], "source": {"advisory": "GHSA-7px4-9hg2-fvhx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-10T15:54:14.118257Z", "id": "CVE-2025-46334", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-10T15:54:21.085Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:10:48.281Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:10:48.281Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46334", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-10T15:54:14.118257Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-10T15:54:17.823Z"}}], "cna": {"title": "Git GUI malicious command injection on Windows", "source": {"advisory": "GHSA-7px4-9hg2-fvhx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "j6t", "product": "git-gui", "versions": [{"status": "affected", "version": "< 2.43.7"}, {"status": "affected", "version": ">= 2.44.0, < 2.44.4"}, {"status": "affected", "version": ">= 2.45.0, < 2.45.4"}, {"status": "affected", "version": ">= 2.46.0, < 2.46.4"}, {"status": "affected", "version": ">= 2.47.0, < 2.47.3"}, {"status": "affected", "version": ">= 2.48.0, < 2.48.2"}, {"status": "affected", "version": ">= 2.49.0, < 2.49.1"}, {"status": "affected", "version": ">= 2.50.0, < 2.50.1"}]}], "references": [{"url": "https://github.com/j6t/git-gui/security/advisories/GHSA-7px4-9hg2-fvhx", "name": "https://github.com/j6t/git-gui/security/advisories/GHSA-7px4-9hg2-fvhx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a1ccd2512072cf52835050f4c97a4fba9f0ec8f9", "name": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a1ccd2512072cf52835050f4c97a4fba9f0ec8f9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-10T15:06:12.757Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46334", "state": "PUBLISHED", "dateUpdated": "2025-11-04T21:10:48.281Z", "dateReserved": "2025-04-22T22:41:54.911Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-10T15:06:12.757Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1."}, {"lang": "es", "value": "Git GUI permite usar las herramientas de gesti\u00f3n del control de c\u00f3digo fuente de Git mediante una interfaz gr\u00e1fica. Un repositorio malicioso puede incluir versiones de sh.exe o programas de filtrado textconv t\u00edpicos, como astextplain. Debido al dise\u00f1o deficiente de Tcl en Windows, la ruta de b\u00fasqueda de un ejecutable siempre incluye el directorio actual. Estos programas se invocan cuando el usuario selecciona Git Bash o \"Explorar archivos\" en el men\u00fa. Esta vulnerabilidad est\u00e1 corregida en las versiones 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1 y 2.50.1."}], "id": "CVE-2025-46334", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-10T15:15:28.417", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a1ccd2512072cf52835050f4c97a4fba9f0ec8f9"}, {"source": "security-advisories@github.com", "url": "https://github.com/j6t/git-gui/security/advisories/GHSA-7px4-9hg2-fvhx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}