CVE-2025-27613: 
vulnerability analysis and mitigation

CVE-2025-27613 affects Gitk, a Tcl/Tk based Git history browser. The vulnerability was discovered and disclosed on July 10, 2025, impacting versions from 1.7.0 to 2.50.0. When a user clones an untrusted repository and runs gitk without additional command arguments, the vulnerability allows for the creation and truncation of files for which the user has write permission (GitHub Advisory, NVD).

The vulnerability occurs under two conditions: when the 'Support per-file encoding' option is enabled in Gitk's Preferences (disabled by default), or when using the 'Show origin of this line' feature in the main window (regardless of encoding settings). The issue has been assigned a CVSS v3.1 base score of 3.6 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (Ubuntu).

The vulnerability allows an attacker to create and truncate files for which the user has write permissions when running gitk on an untrusted repository. While the impact is limited to file integrity (no confidentiality or availability impacts), it could potentially be used to manipulate local files within the user's write permissions (GitHub Advisory).

The vulnerability has been fixed in versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. Workarounds include ensuring the 'Support per-file encoding' option in Gitk's Preferences is disabled, avoiding the use of 'Show origin of this line' feature, not cloning repositories from untrusted sources, or not using gitk altogether (GitHub Advisory).