SEC-2025-008

Pre-Authentication Token Leakage in .git Deploy Agent

● Severity: High ✓ Status: Patched 📅 Published: March 14, 2025

We identified a vulnerability in the .git Deploy Agent (v3.2.0 – v3.4.1) that could allow an unauthenticated network-level attacker to extract valid deployment tokens via a crafted handshake request. Affected customers have been proactively rotated, and stable patches are now available. We have observed no evidence of exploitation in the wild. This advisory outlines the technical details, impact, and remediation steps.

Vulnerability Overview

Component

.git Deploy Agent (CLI & Daemon)

Affected Versions

v3.2.0 through v3.4.1

Fixed Version

v3.4.2+

CVE Reference

CVE-2025-1842

The vulnerability stems from an improper validation sequence in the X-Git-Deploy-Token header during the pre-flight TLS handshake. Under specific network conditions, the daemon would log and temporarily cache incoming tokens in a world-readable memory buffer before cryptographic validation completed. An attacker with adjacent network access could potentially intercept valid authentication material.

Impact Assessment

Successful exploitation does not grant direct access to source code repositories or CI/CD pipeline configurations. However, it may allow unauthorized deployment triggering, environment variable inspection, or pipeline status manipulation. Our threat intelligence team has confirmed zero indicators of compromise across the .git network.

Remediation

Upgrade to v3.4.2 or later immediately. The patch implements strict header validation, removes temporary buffer caching, and enforces constant-time comparison.

npm i @git/deploy-agent@latest

For enterprise managed installations:

git deploy-agent upgrade --force --version 3.4.2

Important: All tokens issued prior to March 10, 2025, have been automatically invalidated and rotated. You may need to update your CI/CD environment variables once following the upgrade. Service disruption is not expected.

Timeline

2025-03-01

Vulnerability responsibly reported by an independent security researcher.

2025-03-05

.git Security Team confirms issue, isolates affected code path, and begins patch development.

2025-03-10

Proactive token rotation initiated for all affected accounts. Internal hardening deployed.

2025-03-12

Stable patch released in v3.4.2. Package registries updated.

2025-03-14

Public advisory published. CVE-2025-1842 assigned.

Report a Vulnerability

We deeply value the security research community. If you discover a potential vulnerability, please report it responsibly.

📩 Contact Security Team

View our Responsible Disclosure Policy for scope and reward details.