CVE-2025-46334

NameCVE-2025-46334
DescriptionGit GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git (PTS)bullseye1:2.30.2-1+deb11u2fixed
bullseye (security)1:2.30.2-1+deb11u4fixed
bookworm, bookworm (security)1:2.39.5-0+deb12u2fixed
trixie1:2.47.3-0+deb13u1fixed
forky, sid1:2.51.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitsource(unstable)(not affected)

Notes

- git <not-affected> (Only affects Git GUI on Windows)
https://lore.kernel.org/git/xmqq5xg2wrd1.fsf@gitster.g/
Merge commit: https://github.com/git/git/commit/d61cfed2c23705fbeb9c0d08f59e75ee08738950 (v2.43.7)

Search for package or bug name: Reporting problems