CVE-2025-23040

Name of the Vulnerable Software and Affected Versions GitHub Desktop versions prior to 3.4.12

Description An attacker can access a user's credentials by convincing them to clone a repository directly or through a submodule using a maliciously crafted remote URL. GitHub Desktop relies on Git for network operations and uses the git-credential protocol to request credentials for remote hosts. A malicious URL can cause GitHub Desktop to misinterpret the credential request, sending credentials for a different host, allowing for secret exfiltration. This could improperly transmit GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop to an unrelated host.

Recommendations Update to GitHub Desktop 3.4.12 or greater to fix the vulnerability. As a precaution, users who suspect they may be affected should revoke any relevant credentials.