CVE-2024-52006 Overview
CVE-2024-52006 is an input validation vulnerability in Git's credential helper protocol that allows for Carriage Return (CR) injection. Git defines a line-based protocol for exchanging information between Git and credential helpers. However, certain ecosystems—most notably .NET and Node.js—interpret single Carriage Return characters as newlines, which renders the protections against the earlier CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this manner.
This vulnerability represents an incomplete fix for CVE-2020-5260, where attackers could potentially inject malicious data into the credential helper communication channel by exploiting the inconsistent handling of CR characters across different platforms and runtimes.
Critical Impact
Attackers can potentially manipulate Git credential helper protocol communications through CR injection, enabling credential theft or protocol manipulation when using vulnerable credential helpers on affected ecosystems like .NET or Node.js.
Affected Products
- Git versions prior to v2.48.1
- Git versions v2.47.x prior to v2.47.2, v2.46.x prior to v2.46.3, v2.45.x prior to v2.45.3
- Git versions v2.44.x prior to v2.44.3, v2.43.x prior to v2.43.6, v2.42.x prior to v2.42.4, v2.41.x prior to v2.41.3, v2.40.x prior to v2.40.4
- Debian Linux 11.0
Discovery Timeline
- 2025-01-14 - CVE-2024-52006 published to NVD
- 2025-12-18 - Last updated in NVD database
Technical Details for CVE-2024-52006
Vulnerability Analysis
The vulnerability stems from how Git's credential helper protocol handles line terminators. Git uses a simple line-based text protocol to communicate with external credential helpers. The protocol was designed with Unix-style line endings (LF - \n) in mind, but failed to account for how different runtime environments handle Carriage Return characters (\r or 0x0D).
When credential helpers are implemented in ecosystems like .NET or Node.js, these runtimes may interpret a standalone CR character as a newline delimiter. This creates an opportunity for attackers to craft malicious URLs or repository configurations that inject CR characters, which are then interpreted as line breaks by vulnerable credential helpers while being treated as part of the same line by Git itself.
This represents a bypass of the protections implemented for CVE-2020-5260, which addressed similar injection attacks but did not account for this specific line terminator inconsistency across platforms.
Root Cause
The root cause is an Improper Encoding or Escaping of Output (CWE-116) in Git's credential helper protocol. The protocol specification and implementation did not properly sanitize or reject Carriage Return characters, assuming that only LF characters would be treated as line terminators. This assumption breaks when interacting with credential helpers built on runtimes that use different newline conventions.
Attack Vector
The attack requires user interaction through cloning or interacting with a malicious repository. An attacker would craft a repository with specially constructed URLs containing embedded CR characters. When Git communicates with a vulnerable credential helper, these CR characters could be interpreted as protocol line separators, allowing the attacker to inject additional protocol commands or manipulate credential data.
The attack is network-based and requires the victim to clone from an attacker-controlled or compromised repository, particularly when using recursive clones that may process untrusted submodule URLs.
// Security patch in Documentation/config/credential.txt
will be URL-encoded by default). Configure this setting to `false` to
override that behavior.
+credential.protectProtocol::
+ By default, Carriage Return characters are not allowed in the protocol
+ that is used when Git talks to a credential helper. This setting allows
+ users to override this default.
+
credential.username::
If no username is set for a network authentication, use this username
by default. See credential.<context>.* below, and
Source: Git Commit b01b9b8
The patch introduces a new configuration option credential.protectProtocol that blocks Carriage Return characters in the credential helper protocol by default:
// Security patch in credential.c
c->use_http_path = git_config_bool(var, value);
else if (!strcmp(key, "sanitizeprompt"))
c->sanitize_prompt = git_config_bool(var, value);
+ else if (!strcmp(key, "protectprotocol"))
+ c->protect_protocol = git_config_bool(var, value);
return 0;
}
Source: Git Commit b01b9b8
Detection Methods for CVE-2024-52006
Indicators of Compromise
- Unusual credential helper activity or unexpected authentication prompts when cloning repositories
- Repository URLs containing encoded or raw Carriage Return characters (%0D or \r)
- Unexpected credential leakage to unauthorized servers
- Git operations failing with credential helper protocol errors after applying patches
Detection Strategies
- Monitor Git operations for URLs containing CR characters (%0D encoded or raw \r)
- Audit credential helper configurations and ensure they are from trusted sources
- Review Git logs for unusual credential helper interactions or authentication failures
- Implement network monitoring to detect credential exfiltration to unexpected endpoints
Monitoring Recommendations
- Enable verbose Git logging during clone operations from untrusted sources
- Monitor for updates to credential helper binaries or configurations
- Track network connections made by Git and credential helper processes during repository operations
- Audit submodule URLs in repositories before performing recursive clones
How to Mitigate CVE-2024-52006
Immediate Actions Required
- Upgrade Git to patched versions: v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, or v2.40.4
- Avoid cloning repositories from untrusted sources until patched
- Do not use recursive clones on untrusted repositories as submodule URLs may contain malicious content
- Review and audit credential helpers in use, particularly those built on .NET or Node.js
Patch Information
The vulnerability has been addressed in Git commit b01b9b8 which introduces the credential.protectProtocol configuration option. This option is enabled by default and disallows Carriage Return characters in the credential helper protocol.
Patched versions include:
- v2.48.1
- v2.47.2
- v2.46.3
- v2.45.3
- v2.44.3
- v2.43.6
- v2.42.4
- v2.41.3
- v2.40.4
For additional details, see the Git Security Advisory and Git Credential Manager Security Advisory. Debian users should also consult the Debian LTS Announcement.
Workarounds
- Avoid cloning from untrusted URLs until Git can be upgraded to a patched version
- Be especially cautious with recursive clones as they process submodule URLs automatically
- Consider using credential helpers that do not rely on .NET or Node.js runtimes if unable to patch immediately
- Manually review repository configurations and submodule URLs before cloning
# Verify Git version is patched
git --version
# Upgrade Git on Debian/Ubuntu
sudo apt update && sudo apt upgrade git
# Upgrade Git on RHEL/CentOS
sudo yum update git
# Upgrade Git on macOS with Homebrew
brew upgrade git
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
