CVE-2025-46334: GitHub: CVE-2025-46334 Git Malicious Shell Vulnerability

Overview

Severity

N/A

Exploit Status

Not Exploited

Patch Tuesday

2025-Jul

Released

2025-07-08

Last Updated

2025-08-22

EPSS Score

0.01% (percentile: 0.9%)

Description

CVE-2025-46334 is regarding a vulnerability in Git GUI (Windows only) where a malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu. GitHub created this CVE on their behalf. The documented Visual Studio updates incorporate updates in GitK which address this vulnerability. Please see CVE-2025-46334 for more information.

Affected Products (6)

Developer Tools

• Microsoft Visual Studio 2022 version 17.8
• Microsoft Visual Studio 2022 version 17.10
• Microsoft Visual Studio 2022 version 17.12
• Microsoft Visual Studio 2022 version 17.14
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)

Security Updates (6)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Revision History

• 2025-07-08: Information published.
• 2025-08-22: Corrected the CVE Numbering Authority (CNA). This is an informational change only.