CVE-2025-27614

Name
CVE-2025-27614
Description
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129
CONFIRM https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/07/08/4

Match rules

CPE URI Source package Min version Max version
gitk >= 2.41.0 < 2.43.7
gitk >= 2.44.0 < 2.44.4
gitk >= 2.45.0 < 2.45.4
gitk >= 2.46.0 < 2.46.4
gitk >= 2.47.0 < 2.47.3
gitk >= 2.48.0 < 2.48.2
gitk >= 2.49.0 < 2.49.1
gitk >= 2.50.0 < 2.50.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
git edge-main 2.50.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.22-main 2.49.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.21-main 2.47.3-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.20-main 2.45.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.19-main 2.43.7-r0 Natanael Copa <ncopa@alpinelinux.org> fixed