Vitor Fernandes

**Name of the Vulnerable Software and Affected Versions** Git Credential Manager Core versions prior to 2.0.289 **Description** The issue arises when recursively cloning a Git repository on Windows with submodules. If a malicious git.exe executable is present in the top-level repository, it will be started by Git Credential Manager Core when attempting to read configuration, instead of the git.exe found on the %PATH%. This only affects Git Credential Manager Core on Windows, not on macOS or Linux-based distributions. **Recommendations** For versions prior to 2.0.289, update to version 2.0.289 or later to resolve the issue. As a temporary workaround, avoid recursively cloning untrusted repositories with the --recurse-submodules option.