urn:uuid:dotgit-security-feed-2025 Official vulnerability disclosures, patches, and security policy updates for .git 2025-09-15T08:00:00Z .git Security Response Team security@dotgit.dev © 2025 .git. All rights reserved. Advisory metadata licensed under CC BY-SA 4.0. urn:uuid:GIT-SEC-2025-003 2025-09-10T14:22:00Z 2025-09-10T14:22:00Z

Authenticated users can trigger Server-Side Request Forgery (SSRF) when cloning repositories with specially crafted remote origin URLs containing internal IP ranges or metadata endpoints.

<p>A flaw in the remote URL validation logic allows bypassing network egress restrictions. This affects CI runners and automated sync agents.</p> CVE-2025-2145 CRITICAL 9.8 2.6.0 - 2.7.4 2.7.5 Restrict outbound network access for git sync agents to approved domains only. urn:uuid:GIT-SEC-2025-002 2025-08-15T09:45:00Z 2025-08-15T09:45:00Z

Scoped tokens generated for deployment pipelines can be inherited by downstream workflows, potentially granting unauthorized write access to protected branches.

CVE-2025-2138 HIGH 7.5 2.5.1 - 2.6.3 2.6.4 Rotate all pipeline tokens and enable strict token scoping in organization settings. urn:uuid:GIT-SEC-2025-001 2025-07-20T11:30:00Z 2025-07-20T11:30:00Z

Craftedly named archive artifacts can escape the intended extraction directory and overwrite system configuration files during automated deployments.

CVE-2025-2120 MEDIUM 5.3 2.4.0 - 2.5.0 2.5.1 Enable sandboxed artifact extraction mode in deployment manifests. "}