CVE-2025-46334: 
vulnerability analysis and mitigation

Git GUI, a graphical interface for Git source control management tools, was found to contain a critical security vulnerability (CVE-2025-46334) affecting Windows systems. The vulnerability was discovered by Mark Levedahl and disclosed on July 10, 2025. The issue affects all Git GUI versions up to and including 2.50.0, with patches released in versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1 (NVD, OSS Security).

The vulnerability stems from a design flaw in Tcl on Windows, where the search path for executables always includes the current directory. This allows a malicious repository to include versions of sh.exe or typical textconv filter programs like astextplain, which can be executed when users select 'Git Bash' or 'Browse Files' from the menu. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating local attack vector with low attack complexity (GitHub Advisory).

The vulnerability allows for command injection on Windows systems, potentially leading to arbitrary code execution with high impacts on confidentiality, integrity, and availability. When exploited, an attacker could execute malicious programs through the Git GUI interface, potentially compromising the affected system (GitHub Advisory).

As an immediate workaround, users are advised to avoid using the Git Bash or Browse Files menu commands. For a permanent fix, users should upgrade to one of the patched versions: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.1 (OSS Security, GitHub Advisory).