EUVD-2025-21004

| CVE-2025-27614 HIGH
2025-07-10 [email protected]
8.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21004
CVE Published
Jul 10, 2025 - 15:15 nvd
HIGH 8.6

Tags

Python Information Disclosure Redhat Suse

Description

Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.

Analysis

CVE-2025-27614 is a command injection vulnerability in Gitk (Git's Tcl/Tk history browser) affecting versions 2.41.0 through 2.50.0 that allows arbitrary script execution with user privileges through specially crafted repository filenames. An attacker can exploit this via social engineering by tricking a user into invoking 'gitk filename' where the filename is maliciously structured to execute attacker-supplied scripts (shell, Perl, Python, etc.). With a CVSS score of 8.6 and no privilege requirement, this poses significant real-world risk for developers who clone untrusted repositories.

Technical Context

Gitk is a Tcl/Tk-based graphical Git repository history browser included with Git distributions. The vulnerability stems from CWE-78 (Improper Neutralization of Special Elements used in an OS Command - OS Command Injection), where user-controlled input (filenames) is insufficiently sanitized before being passed to shell command execution contexts. The affected technology stack includes: Tcl/Tk scripting engine, Git CLI integration, and shell command invocation mechanisms. The root cause appears to be inadequate escaping or validation of filename arguments when constructing and executing system commands within Gitk's file handling logic. This affects Git package distributions across multiple platforms (Linux, macOS, Windows) where Gitk is bundled or installed alongside Git versions 2.41.0 and later.

Affected Products

Git (inclusive of bundled Gitk component) versions: 2.41.0 through 2.42.x (unpatched), 2.43.0-2.43.6 (unpatched), 2.44.0-2.44.3 (unpatched), 2.45.0-2.45.3 (unpatched), 2.46.0-2.46.3 (unpatched), 2.47.0-2.47.2 (unpatched), 2.48.0-2.48.1 (unpatched), 2.49.0 (unpatched). Affected CPE scope: cpe:2.4:a:git-scm:git:* (versions 2.41.0 through 2.50.0-pre-patch). All operating systems and distributions bundling Git during this version range are affected (Linux distributions, macOS via Homebrew/MacPorts, Windows via Git for Windows, etc.). End users: software developers, DevOps engineers, and system administrators who use Gitk for repository visualization.

Remediation

Immediate patching is required: Update to patched versions: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.0-final (or later). For Linux distributions: apply security updates via package managers (apt-get update && apt-get upgrade git on Debian/Ubuntu, yum update git on RHEL/CentOS, pacman -Syu git on Arch). For macOS: brew upgrade git. For Windows: download latest Git for Windows installer from https://git-scm.com/download/win. Workarounds (temporary, until patching): (1) Avoid invoking gitk on files with suspicious/unusual names from untrusted repositories, (2) Use alternative Git history browsers (e.g., git log, gitg, Magit, or web-based interfaces), (3) Inspect repository contents for suspicious filenames before invoking gitk, (4) Run Git operations in restricted environments (containers, VMs) when cloning untrusted repositories. Mitigation: Educate developers on risks of cloning untrusted repositories and verify repository sources before interaction.

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +43
POC: 0

Vendor Status

Ubuntu

Priority: Medium
git
Release Status Version
xenial not-affected code not present
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble released 1:2.43.0-1ubuntu7.3
oracular released 1:2.45.2-1ubuntu1.2
plucky released 1:2.48.1-0ubuntu1.1
upstream released 2.43.7
USN-7626-1

Debian

Bug #1108983
git
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 1:2.30.2-1+deb11u5 -
bookworm not-affected - -
bookworm (security) fixed 1:2.39.5-0+deb12u2 -
trixie fixed 1:2.47.3-0+deb13u1 -
forky fixed 1:2.51.0-1 -
sid fixed 1:2.53.0-1 -
(unstable) fixed 1:2.50.1-0.1 -

Share

EUVD-2025-21004 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy