Multiple security vulnerabilities, collectively called Clone2Leak, have been identified in GitHub Desktop and other Git-related projects, potentially exposing users' Git credentials to attackers. These include CVE-2025-23040, CVE-2024-50338, CVE-2024-53263, and CVE-2024-53858, affecting GitHub Desktop, Git Credential Manager, Git LFS, and GitHub CLI. Exploiting issues like carriage return smuggling and recursive repository cloning, attackers can redirect credentials to unauthorized hosts. Git has addressed these flaws in version v2.48.1, which also patches CVE-2024-52006 and CVE-2024-50349. Users should update immediately or mitigate risks by avoiding recursive cloning from untrusted repositories and limiting credential helper usage.

‍