CVE-2025-66413
Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server.
Show publicationSecurity research, tooling, and writeups.
Mohamed Benchikh · Security researcher & bug bounty hunter
RFC 8628's device authorization grant lets a TV or CLI "poll" for login on a second screen. On Google's implementation, the entire session was transferable across browsers, the authorization server never checked that the client_id and scope in the consent URL matched the ones the device_code was issued for, and prompt=none turned the whole thing into a one-click, invisible account takeover.
read the writeup →Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server.
Show publicationAn issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.
Show publicationAn issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.
Show publication