CVE-2024-53263: 
Rocky Linux vulnerability analysis and mitigation

Git LFS (Large File Storage), a Git extension for versioning large files, has been found to contain a security vulnerability (CVE-2024-53263) that affects all versions prior to v3.6.1. The vulnerability was discovered by RyotaK from Flatt Security Inc. and publicly disclosed on January 14, 2025. The issue affects all previous versions of Git LFS, which is used to replace large files with text pointers inside Git while storing the file contents on a remote server (GitHub Advisory, NVD).

When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without properly validating embedded line-ending control characters. The vulnerability allows URL-encoded control characters such as line feed (LF) or carriage return (CR) to be processed without proper sanitization. The issue has been assigned a CVSS v4.0 base score of 8.5 (High), with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability could allow an attacker to retrieve a user's Git credentials by inserting URL-encoded control characters into the URL. This poses a significant security risk as it could lead to unauthorized access to Git repositories and potentially expose sensitive information (GitHub Advisory, Debian Advisory).

The vulnerability has been patched in Git LFS version 3.6.1. All users are strongly advised to upgrade to this version as there are no known workarounds. The fix includes implementing checks to reject bare line-ending control characters in Git credential requests (GitHub Release, GitHub Advisory).