Critical Vulnerability in Git GUI for Windows (CVE-2025-46334): A Call for Immediate Action

A critical security vulnerability, identified as CVE-2025-46334, has been discovered in Git GUI for Windows, posing a significant threat of arbitrary code execution. This flaw highlights the persistent dangers of path lookup vulnerabilities and the need for developers to remain vigilant.

In the fast-paced world of software development, tools that streamline workflows are indispensable. Git GUI, a graphical user interface for the popular version control system Git, is one such tool widely used on the Windows platform. However, a recently disclosed vulnerability puts users at risk, allowing malicious repositories to compromise their systems.

The Technical Nitty-Gritty: How the Vulnerability Works

The core of CVE-2025-46334 lies in how Git GUI, which is based on Tcl/Tk, handles executable files on the Windows operating system. Due to a design choice in Tcl on Windows, the application's search path for executables always includes the current working directory. This means that when a user performs certain actions within Git GUI, the application might inadvertently execute a file from the repository's directory instead of a legitimate system tool.

An attacker can exploit this by crafting a malicious Git repository that includes a harmful executable file disguised with a common name, such as sh.exe or a text conversion filter program like astextplain. When an unsuspecting user clones this repository and then uses the "Git Bash" or "Browse Files" options from the Git GUI menu, the application may invoke the malicious executable from the repository, leading to arbitrary code execution.

The Potential Impact: A Serious Security Risk

The successful exploitation of CVE-2025-46334 could have severe consequences for affected users. An attacker could execute arbitrary code with the same level of permissions as the user running Git GUI. This could lead to a complete compromise of the system, enabling the attacker to:

  • Steal sensitive data: Access and exfiltrate personal files, credentials, and other confidential information.
  • Install malware: Deploy ransomware, spyware, or other malicious software.
  • Disrupt system operations: Interfere with the normal functioning of the system or use it as a launchpad for further attacks.

The vulnerability has been rated as "High" severity by GitHub, Inc., with a CVSS 3.1 base score of 8.6, underscoring the seriousness of the threat.

Who is Affected?

This vulnerability specifically impacts users of Git GUI on the Windows platform. Notably, installations of Visual Studio that bundle the vulnerable Git GUI component are also affected.

Protecting Your System: Mitigation and Best Practices

The most effective way to safeguard against CVE-2025-46334 is to update your Git installation to a patched version. The Git project has released fixes in the following versions:

  • 2.43.7
  • 2.44.4
  • 2.45.4
  • 2.46.4
  • 2.47.3
  • 2.48.2
  • 2.49.1
  • 2.50.1

Microsoft has also issued patches for affected versions of Visual Studio as part of its July 2025 Patch Tuesday updates.

For users who cannot immediately update, the following workarounds can reduce the risk of exploitation:

  • Avoid cloning untrusted repositories: Be cautious about the source of the repositories you are working with.
  • Refrain from using the "Git Bash" or "Browse Files" features in Git GUI within untrusted repositories.

This vulnerability was discovered and responsibly disclosed by Mark Levedahl, allowing for the development and release of patches to protect the community.

In conclusion, CVE-2025-46334 is a critical vulnerability that requires immediate attention from all Git GUI users on Windows. By promptly updating their software and adhering to security best practices, developers can protect themselves from this significant threat and ensure the integrity of their development environments.