CVE-2025-27614

Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
GitHub_MCNA
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Debian logo
Debian Releases
Debian Product
Codename
git
bullseye
1:2.30.2-1+deb11u2
not-affected
trixie
no-dsa
bookworm
1:2.39.5-0+deb12u2
not-affected
bullseye (security)
1:2.30.2-1+deb11u4
fixed
bookworm (security)
1:2.39.5-0+deb12u2
fixed
forky
1:2.50.1-0.1
fixed
sid
1:2.51.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
git
plucky
Fixed 1:2.48.1-0ubuntu1.1
released
oracular
Fixed 1:2.45.2-1ubuntu1.2
released
noble
Fixed 1:2.43.0-1ubuntu7.3
released
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129
https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc