Help Center> Host Security Service (New)> Best Practices> Detecting and Fixing Vulnerabilities> Git Credential Disclosure Vulnerability (CVE-2020-5260)
Updated on 2022-12-02 GMT+08:00

Git Credential Disclosure Vulnerability (CVE-2020-5260)

Git issued a security bulletin announcing a vulnerability that could reveal Git user credentials (CVE-2020-5260). Git uses a credential helper to store and retrieve credentials.

But when a URL contains an encoded newline (%0a), it may inject unexpected values into the protocol stream of the credential helper. This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL.

Vulnerability ID


Vulnerability Name

Git credential disclosure vulnerability

Scope of Impact

Affected versions:

  • Git 2.17.x <= 2.17.3
  • Git 2.18.x <= 2.18.2
  • Git 2.19.x <= 2.19.3
  • Git 2.20.x <= 2.20.2
  • Git 2.21.x <= 2.21.1
  • Git 2.22.x <= 2.22.2
  • Git 2.23.x <= 2.23.1
  • Git 2.24.x <= 2.24.1
  • Git 2.25.x <= 2.25.2
  • Git 2.26.x <= 2.26.0

Unaffected versions:

  • Git 2.17.4
  • Git 2.18.3
  • Git 2.19.4
  • Git 2.20.3
  • Git 2.21.2
  • Git 2.22.3
  • Git 2.23.2
  • Git 2.24.2
  • Git 2.25.3
  • Git 2.26.1

Official Solution

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Download address:


Perform the following steps to scan and fix a vulnerability.

  1. Scan and view details of a vulnerability, as shown in Figure 1. For details, see Viewing Details of a Vulnerability.

    Figure 1 Manually starting a vulnerability scan

  2. Fix vulnerabilities and verify the result. For details, see Fixing Vulnerabilities and Verifying the Result.

Other Protection Measures

If you cannot perform upgrade for the moment, you can take the following measures:

  • Disable credential helper by running the following commands:

    git config --unset credential.helper

    git config --global --unset credential.helper

    git config --system --unset credential.helper

  • Be vigilant about malicious URLs.
    1. Examine the server name and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (example:
    2. Avoid using submodules with untrusted repositories (do not use clone –recurse-submodules; use git submodule update only after examining the URLs found in gitmodules).
    3. Avoid tools which may run git clone.