How to fix CVE-2025-46334?

Within 24 hours: Inventory all systems running Git GUI and identify affected versions below 2.43.7. Within 7 days: Communicate risk to development teams and restrict cloning of untrusted repositories; consider disabling Git Bash and Browse Files features until patching. Within 30 days: Upgrade Git to patched versions (2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.1) across all systems.

Is Windows affected by CVE-2025-46334?

A critical vulnerability in Git GUI on Windows allows attackers to execute malicious code when users interact with compromised repositories. Organizations using Git GUI are at immediate risk of code execution and potential system compromise if employees clone or work with untrusted repositories.

CVE-2025-46334

EUVD-2025-21003 HIGH

2025-07-10 [email protected]

8.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21003

CVE Published

Jul 10, 2025 - 15:15 nvd

HIGH 8.6

Description

Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Analysis

A remote code execution vulnerability in Git GUI (CVSS 8.6) that allows you. High severity vulnerability requiring prompt remediation.

Technical Context

CWE-78 (OS Command Injection). CVSS 8.6 indicates high severity. Affects Git GUI.

Affected Products

['Git GUI']

Remediation

Monitor vendor channels for patch availability. Implement input validation and WAF rules as interim mitigation.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +43

POC: 0

Vendor Status

Ubuntu

Priority: Medium

git

Release	Status	Version
xenial	not-affected	Windows only
bionic	not-affected	Windows only
focal	not-affected	Windows only
jammy	not-affected	Windows only
noble	not-affected	Windows only
oracular	not-affected	Windows only
plucky	not-affected	Windows only
upstream	pending	2.43.7

Debian

git

Release	Status	Fixed Version	Urgency
bullseye	fixed	1:2.30.2-1+deb11u2	-
bullseye (security)	fixed	1:2.30.2-1+deb11u5	-
bookworm	fixed	1:2.39.5-0+deb12u3	-
bookworm (security)	fixed	1:2.39.5-0+deb12u2	-
trixie	fixed	1:2.47.3-0+deb13u1	-
forky	fixed	1:2.51.0-1	-
sid	fixed	1:2.53.0-1	-
(unstable)	not-affected	-	-

CVE-2025-46334 vulnerability details – vuln.today

Back

CVE-2025-46334

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-46334

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code