CVE-2025-66413 PUBLISHED

Git for Windows leaks NTLM hash when cloning from an attacker-controlled server

Assigner: GitHub_M
Reserved: 28.11.2025 Published: 10.03.2026 Updated: 11.03.2026

Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	git-for-windows
Product	git
Versions	Version < 2.53.0(2) is affected

References

https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x
https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.2

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE