CVE-2022-41953— Git clone remote code execution vulnerability in git-for-windows
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-41953
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Git clone remote code execution vulnerability in git-for-windows
Source: NVD (National Vulnerability Database)
Vulnerability Description
Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不可信的搜索路径
Source: NVD (National Vulnerability Database)
Vulnerability Title
Git 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Git是一套免费、开源的分布式版本控制系统。 Git GUI存在代码问题漏洞,该漏洞源于Tcl脚本在Windows上的危险设计,导致在查找可执行文件时的搜索路径始终包括当前目录。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| git-for-windows | git | < 2.39.1 | - |
II. Public POCs for CVE-2022-41953
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-41953
请登录查看更多情报信息。
- https://github.com/git-for-windows/git/pull/4219x_refsource_MISC
- https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-41953
IV. Related Vulnerabilities
Same product: git
- CVE-2026-32631
Git for Windows: `git clone` from manipulated repositories c - CVE-2025-66413
Git for Windows leaks NTLM hash when cloning from an attacke - CVE-2025-48384
Git allows arbitrary code execution through broken config qu - CVE-2025-48385
Git alllows arbitrary file writes via bundle-uri parameter i - CVE-2025-48386
Git allows a buffer overflow in 'wincred' credential helper
Same vendor: git-for-windows
- CVE-2026-32631
Git for Windows: `git clone` from manipulated repositories c - CVE-2025-66413
Git for Windows leaks NTLM hash when cloning from an attacke - CVE-2023-29012
Git CMD erroneously executes `doskey.exe` in the current dir - CVE-2023-29011
Git for Windows's config file of `connect.exe` is susceptibl - CVE-2023-25815
Git looks for localized messages in the wrong place
Same weakness: CWE-426
- CVE-2026-7309
Openshift-controller-manager: openshift container platform: - CVE-2026-35368
uutils coreutils chroot Local Privilege Escalation and chroo - CVE-2026-35603
Claude Code: Insecure System-Wide Configuration Loading Enab - CVE-2026-40947
Yubico多款产品 安全漏洞 - CVE-2026-27290
Adobe Framemaker | Untrusted Search Path (CWE-426)
V. Comments for CVE-2022-41953
No comments yet