CVE-2025-27614

EUVD-2025-21004
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
GitHub_MCNA
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Debian logo
Debian Releases
Debian Product
Codename
git
bookworm
1:2.39.5-0+deb12u3
not-affected
bookworm (security)
1:2.39.5-0+deb12u2
fixed
bullseye
1:2.30.2-1+deb11u2
not-affected
bullseye (security)
1:2.30.2-1+deb11u5
fixed
forky
1:2.51.0-1
fixed
sid
1:2.53.0-1
fixed
trixie
1:2.47.3-0+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
git
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
Fixed 1:2.43.0-1ubuntu7.3
released
oracular
Fixed 1:2.45.2-1ubuntu1.2
released
plucky
Fixed 1:2.48.1-0ubuntu1.1
released
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129
https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc
http://www.openwall.com/lists/oss-security/2025/07/08/4