CVE-2025-41390
BaseFortify
Publication date: 2025-10-20
Last updated on: 2025-11-03
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trufflesecurity | trufflehog | 3.90.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-41390 is an arbitrary code execution vulnerability in TruffleHog 3.90.2, a tool used to scan Git repositories for secrets. The vulnerability occurs because TruffleHog interacts with Git repositories that may contain malicious client-side Git hooks or configurations, specifically the core.fsmonitor setting in the .git/config file. An attacker can craft a malicious Git repository with a specially crafted core.fsmonitor value that causes Git to execute arbitrary commands automatically during operations like 'git status' when TruffleHog scans the repository. This leads to arbitrary code execution on the victim's machine without their knowledge, triggered by running TruffleHog on the malicious repository. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on your machine when you scan a maliciously crafted Git repository using TruffleHog. An attacker can execute any command with the privileges of the user running TruffleHog, potentially compromising confidentiality, integrity, and availability of your system. This could result in unauthorized data access, system manipulation, or disruption of services. The attack requires user interaction (running TruffleHog on the malicious repo) but does not require prior privileges. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting Git repositories for malicious or unusual configurations in the .git/config file, specifically the core.fsmonitor setting or other risky Git config options like core.page, diff.external, and diff.<name>.textconv. A practical detection method is to check the core.fsmonitor value in the repository's .git/config file. For example, you can run: `git -C /path/to/repo config core.fsmonitor` to see if it is set to a suspicious command. Additionally, running `git status` on a repository copied file-for-file (not cloned) may trigger the malicious command if the vulnerability is present. Monitoring for unexpected file creations or command executions triggered by Git operations (like `git status`) can also help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating TruffleHog to the patched version released on October 17, 2025, which implements scanning of a sanitized git clone rather than the original repository. Additionally, disable client-side Git hooks and dangerous Git configuration options by default, for example by running Git commands with `git -c core.fsmonitor="" status` to override and disable the core.fsmonitor setting. Avoid scanning repositories that were copied file-for-file instead of cloned via Git. For users who must scan local repositories with custom configurations, use the `--trust-local-git-config` flag cautiously. Overall, treat Git configurations from untrusted sources with caution and prefer scanning sanitized clones. [1, 2]