PT-2025-28848 · Git+11 · Git+11

Avih

·

Published

2025-01-01

·

Updated

2025-10-09

·

CVE-2025-27613

CVSS v3.1

3.6

Low

VectorAV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions: Git versions 2.43.7 through 2.49.1
Description: The issue allows for the creation and truncation of any writable file when a user clones an untrusted repository and runs Gitk without additional command arguments, provided the "Support per-file encoding" option is enabled. Additionally, the operation "Show origin of this line" is affected, regardless of the option being enabled or not. Multiple vulnerabilities were fixed in Git, including arbitrary code execution and buffer overflows.
Recommendations: For Git versions 2.43.7 through 2.49.1, update to a version newer than 2.49.1 to resolve the issue. As a temporary workaround, consider disabling the "Support per-file encoding" option and restricting the use of Gitk until a patch is available. Avoid using the "Show origin of this line" operation in Gitk for untrusted repositories until the issue is resolved.

Fix

OS Command Injection

Weakness Enumeration

CWE-78

Related Identifiers

ALSA-2025:11462
ALSA-2025:11533
ALSA-2025:11534
ALT-PU-2025-10893
ALT-PU-2025-9420
ALT-PU-2025-9640
AZL-65073
AZL-65076
BDU:2025-09364
CESA-2025_11534
CVE-2025-27613
DLA-4323-1
ECHO-B1D0-A192-7995
GHSA-F3CW-XRJ3-WR2V
INFSA-2025_11462
INFSA-2025_11534
OESA-2025-1844
OESA-2025-1845
OESA-2025-1846
OESA-2025-1847
OESA-2025-1848
OESA-2025-1849
OPENSUSE-SU-2025:15337-1
RHSA-2025:11462
RHSA-2025:11533
RHSA-2025:11534
RHSA-2025_11462
RHSA-2025_11534
SUSE-SU-2025:03012-1
SUSE-SU-2025:03022-1
SUSE-SU-2025:03037-1
SUSE-SU-2025:20721-1
SUSE-SU-2025:20855-1
SUSE-SU-2025_03012-1
SUSE-SU-2025_03022-1
SUSE-SU-2025_03037-1
USN-7626-1
USN-7626-2
USN-7626-3

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Git
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu