CVE-2025-46835

Git GUI can create and overwrite files for which the user has write permission

Description

Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Category

8.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.02%
Affected: j6t git-gui
Published at:
Updated at:

References

Link Tags
https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg
https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da

Frequently Asked Questions

What is the severity of CVE-2025-46835?
CVE-2025-46835 has been scored as a high severity vulnerability.
How to fix CVE-2025-46835?
To fix CVE-2025-46835, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-46835 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-46835 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-46835?
CVE-2025-46835 affects j6t git-gui.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.