CVE-2023-25815 Overview
CVE-2023-25815 is a Path Traversal and Format String vulnerability affecting Git for Windows that allows low-privilege users to inject fake localized messages into Git operations. The vulnerability stems from a change in MINGW-packages that caused the gettext() function to use a hardcoded path (C:\mingw64\share\locale) instead of the runtime prefix for localized message lookup. Since Git for Windows doesn't ship localized messages and any authenticated user can create folders in C:\, attackers can plant malicious message files that Git will display to users.
Critical Impact
Low-privilege users can place spoofed Git messages that appear legitimate, potentially deceiving users into visiting malicious websites or executing harmful actions through social engineering.
Affected Products
- Git for Windows (versions prior to 2.40.1)
- Fedora 37
- Fedora 38
Discovery Timeline
- April 25, 2023 - CVE-2023-25815 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2023-25815
Vulnerability Analysis
This vulnerability exploits a change in how Git for Windows handles localized messages. Although Git for Windows doesn't ship localized messages with its installer, the underlying gettext() function still attempts to load them from a predictable filesystem location. The root issue involves two weaknesses classified under CWE-22 (Path Traversal) and CWE-134 (Format String Vulnerability).
The attack requires local access to the Windows system and relies heavily on social engineering to be effective. An attacker would need to create the C:\mingw64\share\locale directory structure and place crafted message files there. When a user runs Git commands, these fake messages would be displayed as if they were legitimate Git output, potentially instructing users to perform dangerous actions.
Root Cause
The vulnerability originated from a change in the MSYS2 MINGW-packages (documented in the MSYS2 MINGW-packages Pull Request) that modified how gettext() initializes. Instead of using a runtime-determined prefix to locate translation files, the function began using a hardcoded path C:\mingw64\share\locale. This path typically doesn't exist on most Windows systems, but crucially, any authenticated user has permission to create folders directly under C:\. This combination of factors—a predictable hardcoded path and permissive folder creation rights—creates the opportunity for message injection.
Attack Vector
The attack requires local access to the target system and involves the following steps:
- The attacker creates the directory structure C:\mingw64\share\locale\[language_code]\LC_MESSAGES\
- The attacker places a malicious .mo (compiled gettext message) file containing spoofed Git messages
- When a legitimate user runs Git commands, the fake messages are displayed
- The spoofed messages could instruct users to visit malicious websites or perform dangerous actions
This vulnerability requires significant social engineering to exploit effectively. For example, a fake message displayed after a git clone operation could direct users to a phishing site disguised as a legitimate Git-related resource. The local access requirement limits the attack surface, making this primarily a concern in shared computing environments.
Detection Methods for CVE-2023-25815
Indicators of Compromise
- Presence of the C:\mingw64\share\locale directory structure on systems where MSYS2/MINGW64 is not intentionally installed
- Unexpected .mo or .po files in locale directories under C:\mingw64\
- Git command output containing unusual messages, URLs, or instructions not typically displayed by Git
Detection Strategies
- Monitor file system activity for creation of the C:\mingw64 directory path on Windows systems
- Implement file integrity monitoring for unexpected locale files appearing in system paths
- Review Git command output logs for anomalous messages or unexpected URLs
Monitoring Recommendations
- Deploy endpoint detection rules to alert on folder creation under C:\mingw64\ by non-administrative users
- Utilize SentinelOne's behavioral detection capabilities to identify suspicious directory creation patterns
- Enable audit logging for folder creation events in the C:\ root directory
How to Mitigate CVE-2023-25815
Immediate Actions Required
- Update Git for Windows to version 2.40.1 or later immediately
- Audit Windows systems for the existence of C:\mingw64\share\locale directories
- Remove any suspicious locale files found in unexpected locations
- Review system access permissions on shared workstations
Patch Information
Git for Windows version 2.40.1 contains the official patch for this vulnerability. The fix ensures that the gettext initialization properly uses the runtime prefix rather than the hardcoded path. Users should upgrade through the official Git for Windows Release v2.40.1. For Linux distributions, refer to the respective security advisories from Fedora Package Announcements, Gentoo GLSA 202312-15, and Debian LTS Announcement.
Workarounds
- Avoid using Windows machines with shared accounts where multiple users have local access
- Proactively create an empty C:\mingw64 folder to prevent attackers from creating the malicious directory structure
- For administrators: Remove the permission to create folders directly in C:\ for non-administrative users
- Consider implementing application whitelisting to prevent execution from unexpected locale paths
# Create empty protective directory (run as administrator)
mkdir C:\mingw64
icacls C:\mingw64 /deny "Users:(WD)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
