CVE-2025-48064

Name of the Vulnerable Software and Affected Versions GitHub Desktop versions prior to 3.4.20

Description The issue affects GitHub Desktop users on Windows, where an attacker can cause information disclosure by convincing a user to view a malicious file in the history view. This happens because Git attempts to access a network share, leading to Windows performing NTLM authentication, which passes sensitive information such as the computer name, the currently signed-in Windows user name, and an NTLM hash. The git log or git diff commands are called with the object id (SHA) of the commit, the name of the file, and the old name of the file if it has been renamed. As a security precaution, Git attempts to fully resolve the old and new path via realpath, traversing symlinks, to ensure the resolved paths reside within the repository working directory.

Recommendations For versions prior to 3.4.20, upgrade to GitHub Desktop 3.4.20 or later to fix the vulnerability. As a temporary workaround, only browse commits in the history view that come from trusted sources.