Alpaquita LinuxStreamSecurity Advisory
Search Cve

CVE-2025-27614

Published: July 10, 2025Last modified: July 29, 2025

Description

Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.

Severity score breakdown

ParameterValue
Base score8.6
Attack VectorLOCAL
Attack complexityLOW
Privileges requiredNONE
User interactionREQUIRED
ScopeCHANGED
ConfidentialityHIGH
Integrity impactHIGH
Availability impactHIGH
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSgitFixed (2.43.7-r0)
StreamgitFixed (2.50.1-r0)

References

ON THIS PAGE