CVE-2025-27613
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-10

Last updated on: 2025-11-04

Assigner: GitHub, Inc.

Description
Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-10
Last Modified
2025-11-04
Generated
2026-05-07
AI Q&A
2025-07-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-27613
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
git gitk 2.44.4
git gitk 2.49.1
git gitk 2.46.4
git gitk 2.48.2
git gitk 2.47.3
git gitk 2.43.7
git gitk 2.50.0
git gitk 2.45.4
git gitk 1.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Gitk, a Git history browser, occurs when a user clones an untrusted repository and runs Gitk without additional command arguments. If the 'Support per-file encoding' option was previously enabled in Gitk's Preferences, files for which the user has write permission can be created and truncated. Additionally, using the 'Show origin of this line' feature in the main window triggers the same behavior regardless of the encoding option. This can lead to unintended modification of files.


How can this vulnerability impact me? :

The vulnerability can impact you by allowing unintended creation and truncation of files that you have write permission for when running Gitk on untrusted repositories. This could lead to loss or corruption of data in those files, potentially disrupting your work or causing data integrity issues.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update Gitk to one of the fixed versions: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.1. Additionally, avoid enabling the 'Support per-file encoding' option in Gitk's Preferences and avoid using the 'Show origin of this line' feature until the update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart