CVE-2025-27614: 
vulnerability analysis and mitigation

CVE-2025-27614 affects Gitk, a Tcl/Tk based Git history browser. The vulnerability was discovered and disclosed on July 10, 2025, affecting versions 2.41.0 through 2.50.0. The issue allows an attacker to craft a Git repository that can trick users who have cloned the repository into executing arbitrary scripts through the gitk command (NVD, GitHub Advisory).

The vulnerability exists in the way Gitk handles filename arguments. When a user invokes gitk with a specially crafted filename, the application can be manipulated to execute arbitrary scripts (e.g., Bourne shell, Perl, Python) with the user's privileges. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary scripts with the privileges of the user who runs gitk. This can lead to complete compromise of the user's environment, potentially affecting the confidentiality, integrity, and availability of the user's data (GitHub Advisory).

The vulnerability has been fixed in versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. Users are advised to upgrade to these patched versions. As temporary workarounds, users should avoid cloning repositories from untrusted sources and consider not using Gitk until the update can be applied (GitHub Advisory).