CVE-2025-23040
Description
GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke git clone and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitHub Desktop before 3.4.12 misinterprets maliciously crafted remote URLs during clone/fetch, causing credential exfiltration to an attacker-controlled host.
Vulnerability
Overview A credential exfiltration vulnerability (CVE-2025-23040) exists in GitHub Desktop, an Electron-based Git client. When a user clones a repository (directly or via a submodule) with a maliciously crafted remote URL, the credential request from Git can be misinterpreted by GitHub Desktop, causing it to send credentials for a *different* host than the one Git is actually communicating with [2]. This leverages the git-credential protocol [1], which GitHub Desktop uses to supply authentication to Git.
Attack
Vector An attacker must convince a user to clone a repository that contains a specially crafted remote URL. No further authentication is required beyond the user's normal interaction; the attack can be triggered automatically if the user simply clones a malicious repository or a legitimate repo that includes a malicious submodule. GitHub Desktop invokes git clone or git fetch, and when Git requests credentials (via the git-credential protocol) for the actual remote host, the malicious URL causes the desktop app to misinterpret that request and send credentials for a different, attacker-controlled host [2].
Impact
Successful exploitation could leak the user's GitHub username and OAuth token, or credentials for any other Git remote host stored in GitHub Desktop, to an unrelated (attacker-controlled) host. This could lead to unauthorized access to the user's GitHub repositories and personal data [2].
Mitigation
The vulnerability is fixed in GitHub Desktop version 3.4.12 or greater. Users should update immediately. Those who suspect they may have been affected should revoke their GitHub Desktop OAuth token (following guidance in [3]) and any other relevant credentials stored in the application [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
16d57135bd008Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.