Credential-leaking vulnerability in some Git credential managers

Security researcher RyotaK has shared a series of vulnerabilities that all have to do with how Git interfaces with external credential managers. In short, while Git guards against newline characters (\n) being injected into a repository's URL, some programming languages also treat carriage return characters (\r) as being newlines. Adding a carriage return to a repository's URL can cause Git and the credential manager to disagree on how the URL should be parsed, ultimately resulting in Git credentials being sent to the wrong host. Malicious repositories could include Git submodules with malformed URLs, triggering the bug. Only password-based authentication with an external credential manager is vulnerable to this attack; SSH-based authentication remains secure. The Git project has chosen to consider this a vulnerability in Git, given the large amount of external software affected. The project has fixed the bug on its end by releasing updates for all supported versions that ban carriage returns in URLs entirely.

Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:

Since Git itself doesn't use .lfsconfig file, specifying the URL that contains the newline character in .lfsconfig causes Git LFS to insert the newline character into the message, while bypassing [...] Git's validation.