CVE-2025-27614

Summary

Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, …) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.

Affected Software

VendorProductVersion RangeStatus
j6tgitk>= 2.41.0, < 2.43.7affected
j6tgitk>= 2.44.0, < 2.44.4affected
j6tgitk>= 2.45.0, < 2.45.4affected
j6tgitk>= 2.46.0, < 2.46.4affected
j6tgitk>= 2.47.0, < 2.47.3affected
j6tgitk>= 2.48.0, < 2.48.2affected
j6tgitk>= 2.49.0, < 2.49.1affected
j6tgitk>= 2.50.0, < 2.50.1affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References