CVE-2024-50338

High

Published: 14 January 2025

Published

14 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

EPSS Score 0.0015 35.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50338 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Git Scm (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

SI-2 mandates identifying, reporting, and patching software flaws such as the GCM newline parsing vulnerability to prevent credential capture from malicious remote URLs.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of inputs to the credential protocol, directly addressing the mismatch in newline handling between Git and GCM's StreamReader that enables malformed credential parsing.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 requires vulnerability scanning to identify and prioritize remediation of issues like CVE-2024-50338 in Git Credential Manager deployments.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

CVE enables client-side exploitation via malicious Git repo URL to steal credentials due to parsing flaw in GCM.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in…

the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules.

Deeper analysisAI

CVE-2024-50338 is a vulnerability in Git Credential Manager (GCM), a .NET-based secure Git credential helper that operates on Windows, macOS, and Linux. The issue stems from a mismatch in newline character handling between Git's credential protocol and GCM's implementation. Git's protocol uses text-based key-value pairs over stdin/stdout, restricting NUL characters and newlines in keys/values, and treats both LF and CRLF as newlines via strbuf_getline, while validating against LF in values. However, GCM employs the .NET StreamReader class, whose ReadLineAsync method also recognizes a single CR as a valid line ending, which Git does not. This discrepancy enables attackers to craft malicious remote URLs that manipulate credential parsing.

An attacker can exploit this by controlling a Git repository that requires authentication, tricking a user into cloning or interacting with it—particularly when using the --recursive option for submodules, where users cannot easily inspect submodule remote URLs beforehand. The exploit requires network access and user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N), with no privileges needed. Successful exploitation allows the attacker to capture credentials intended for a different, legitimate Git remote, leading to exposure of sensitive authentication data (CWE-200).

The vulnerability has been addressed in GCM version 2.6.1, and all users are advised to upgrade immediately. For those unable to update, mitigation involves interacting only with trusted remote repositories and avoiding the --recursive clone option to manually inspect and clone submodules. Relevant details are available in the GCM release notes and related code changes.