Unrated severityNVD Advisory· Published Feb 14, 2023· Updated Mar 10, 2025

gitk can inadvertently call executables in the worktree

CVE-2023-23618

Description

Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when gitk is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2. As a workaround, avoid using gitk (or Git GUI's "Visualize History" functionality) in clones of untrusted repositories.

Affected products

Git For Windows/Gitv5
Range: < 2.39.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05cmitrex_refsource_MISC
github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1mitrex_refsource_MISC
github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pmmitrex_refsource_CONFIRM
wiki.tcl-lang.org/page/execmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000