{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T01:18:09.581","vulnerabilities":[{"cve":{"id":"CVE-2025-23040","sourceIdentifier":"security-advisories@github.com","published":"2025-01-15T18:15:24.797","lastModified":"2025-01-15T18:15:24.797","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials."},{"lang":"es","value":"GitHub Desktop es una aplicación de GitHub de código abierto basada en Electron diseñada para el desarrollo de Git. Un atacante que convenza a un usuario de clonar un repositorio directamente o a través de un submódulo puede permitirle acceder a las credenciales del usuario mediante el uso de una URL remota creada con fines malintencionados. GitHub Desktop depende de Git para realizar todas las operaciones relacionadas con la red (como clonar, obtener y enviar). Cuando un usuario intenta clonar un repositorio, GitHub Desktop invocará `git clone` y cuando Git encuentre un host remoto que requiera autenticación, solicitará las credenciales para ese host remoto de GitHub Desktop utilizando el protocolo git-credential. Si se utiliza una URL creada con fines malintencionados, es posible hacer que Github Desktop malinterprete la solicitud de credenciales que proviene de Git, de modo que envíe las credenciales para un host diferente al host con el que Git se está comunicando actualmente, lo que permite la exfiltración secreta. El nombre de usuario y el token OAuth de GitHub, o las credenciales de otros hosts remotos de Git almacenados en GitHub Desktop, podrían transmitirse incorrectamente a un host no relacionado. Los usuarios deben actualizar a GitHub Desktop 3.4.12 o una versión posterior, que corrige esta vulnerabilidad. Los usuarios que sospechen que pueden verse afectados deben revocar las credenciales pertinentes."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:R\/S:U\/C:H\/I:H\/A:N","baseScore":6.6,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-522"}]}],"references":[{"url":"https:\/\/docs.github.com\/en\/apps\/using-github-apps\/reviewing-and-revoking-authorization-of-github-apps","source":"security-advisories@github.com"},{"url":"https:\/\/git-scm.com\/docs\/git-credential","source":"security-advisories@github.com"},{"url":"https:\/\/github.com\/desktop\/desktop\/security\/advisories\/GHSA-36mm-rh9q-cpqq","source":"security-advisories@github.com"}]}}]}