{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66413", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-28T23:33:56.366Z", "datePublished": "2026-03-10T20:34:32.769Z", "dateUpdated": "2026-03-11T14:33:36.115Z"}, "containers": {"cna": {"title": "Git for Windows leaks NTLM hash when cloning from an attacker-controlled server", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x"}, {"name": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.2"}], "affected": [{"vendor": "git-for-windows", "product": "git", "versions": [{"version": "< 2.53.0(2)", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:34:32.769Z"}, "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2)."}], "source": {"advisory": "GHSA-hv9c-4jm9-jh3x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:33:26.196217Z", "id": "CVE-2025-66413", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:33:36.115Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2)."}, {"lang": "es", "value": "Git para Windows es el puerto de Windows de Git. Antes de 2.53.0(2), es posible obtener el hash NTLM de un usuario enga\u00f1\u00e1ndolos para que clonen de un servidor malicioso. Dado que el hashing NTLM es d\u00e9bil, es posible para el atacante forzar por fuerza bruta el nombre de cuenta y la contrase\u00f1a del usuario. Esta vulnerabilidad est\u00e1 corregida en 2.53.0(2)."}], "id": "CVE-2025-66413", "lastModified": "2026-03-11T13:52:47.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:40.680", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.53.0(2))"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "git", "source": "cna", "vendor": "git-for-windows"}, "product": "git", "vendor": "gitforwindows"}], "created": "2026-03-11T11:42:49.201994+00:00", "updated": "2026-03-11T11:42:49.202067+00:00", "vendors": ["gitforwindows", "gitforwindows$PRODUCT$git"]}