Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting github.com/git-lfs/git-lfs/creds package, versions >=0.1.0 <3.6.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMGITLFSGITLFSCREDS-8625695
- published15 Jan 2025
- disclosed14 Jan 2025
- creditRy0taK
Introduced: 14 Jan 2025
NewCVE-2024-53263 Â (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade github.com/git-lfs/git-lfs/creds to version 3.6.1 or higher.
Overview
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') due to the improper sanitization of URL input in the git-credential command. An attacker can exfiltrate credentials by inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) into the URL.