GitHub is warning users to update their Git clients as soon as possible. A critical security vulnerability has been found in Git, affecting all Git clients and software related to Git repositories such as GitHub for Windows and GitHub for Mac.
“We strongly encourage all users…to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts,” wrote Vicent Marti, a GitHub staffer, on the organization’s blog.
According to GitHub, the vulnerability is a client-side-only bug that does not directly affect GitHub.com and GitHub Enterprise. Git clients running any version of Microsoft Windows or OS X are susceptible to exploitation through the vulnerability. Linux clients will not be affected if there is a case-sensitive file system in place.
“An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” Marti wrote.
The organization has released updated versions for GitHub for Windows and GitHub for Mac. In addition, GitHub also announced maintenance releases for all current Git versions, a release maintenance version for Git for Windows, and maintenance versions for major Git libraries libgit2 and JGit in order to address the bug.
More information about the vulnerability is available here.