CVE-2024-50349: 
Git vulnerability analysis and mitigation

Git has disclosed a security vulnerability (CVE-2024-50349) that affects its credential handling mechanism when requesting credentials via terminal prompts. The vulnerability was discovered and disclosed on January 14, 2025, affecting multiple Git versions including v2.48.0 and earlier versions down to v2.40.3. The issue impacts Git's core functionality when it asks for credentials without using a credential helper (GitHub Advisory).

The vulnerability occurs when Git decodes URL-encoded parts before displaying them in credential prompts, without properly neutralizing control sequences. This behavior allows attackers to craft URLs containing ANSI escape sequences that the terminal interprets. The issue has been assigned a CVSS v4.0 score of 2.1 (Low) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N. The vulnerability is associated with multiple CWE categories including CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences), CWE-147 (Improper Neutralization of Input Terminators), and CWE-116 (Improper Encoding or Escaping of Output) (GitHub Advisory).

The vulnerability could allow attackers to craft malicious URLs that confuse users into providing passwords for trusted Git hosting sites, which are then sent to untrusted sites under the attacker's control. This creates a potential credential theft risk when users interact with untrusted Git repositories (GitHub Advisory).

The issue has been patched in multiple Git versions including v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4 through commits 7725b81 and c903985. Users are advised to upgrade to these patched versions. For those unable to upgrade immediately, the recommended workaround is to avoid cloning from untrusted URLs, especially recursive clones (GitHub Advisory, Ubuntu Security).