CVE-2025-27613: 
vulnerability analysis and mitigation

Gitk, a Tcl/Tk based Git history browser, contains a vulnerability (CVE-2025-27613) that affects versions 1.7.0 to 2.50.0. The vulnerability was discovered and disclosed on July 10, 2025, affecting systems where users clone untrusted repositories and run gitk without additional command arguments (GitHub Advisory, NVD).

The vulnerability allows for file creation and truncation of files where the user has write permissions. This occurs under two conditions: when the 'Support per-file encoding' option is enabled in Gitk's Preferences (disabled by default), or when using the 'Show origin of this line' feature in the main window, regardless of the encoding setting. The vulnerability has been assigned a CVSS v3.1 score of 3.6 (Low) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N (GitHub Advisory).

When exploited, the vulnerability can lead to unauthorized file creation and truncation of existing files in locations where the user has write permissions. The impact is limited to file integrity, with no direct effect on confidentiality or availability (GitHub Advisory).

The vulnerability has been fixed in versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. Workarounds include disabling the 'Support per-file encoding' option in Gitk's Preferences, avoiding the use of 'Show origin of this line' feature, not cloning repositories from untrusted sources, or refraining from using gitk altogether (GitHub Advisory).