CVE-2025-27614
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-11-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| git | gitk | 2.44.4 |
| git | gitk | 2.49.1 |
| git | gitk | 2.41.0 |
| git | gitk | 2.46.4 |
| git | gitk | 2.48.2 |
| git | gitk | 2.47.3 |
| git | gitk | 2.43.7 |
| git | gitk | 2.50.0 |
| git | gitk | 2.45.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Gitk allows an attacker to craft a malicious Git repository that, through social engineering, can trick a user who has cloned the repository into running any script supplied by the attacker by invoking 'gitk filename'. The script can be in various languages like Bourne shell, Perl, or Python, and it runs with the user's privileges.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary code execution with the privileges of the user running gitk. This means an attacker could execute malicious scripts on the user's system, potentially leading to data compromise, system alteration, or further attacks.
What immediate steps should I take to mitigate this vulnerability?
Update Gitk to one of the fixed versions: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50. Avoid opening untrusted Git repositories with gitk, especially those that may contain crafted filenames designed to execute arbitrary scripts.