Home Security Advisories SEC-2025-012

SEC-2025-012

Prototype Pollution in Webhook Configuration Parser Leading to Privilege Escalation

Published

January 12, 2025

Severity

● High

Status

✓ Patched

Affected Versions

CLI < v4.2.1

Summary

The .git security team has identified and resolved a High severity vulnerability in the webhook configuration parser used across the .git CLI and .git Cloud services. An attacker with access to craft webhook payloads could exploit prototype pollution to inject properties into the global object prototype, potentially leading to privilege escalation and unauthorized access to repository metadata.

This vulnerability affects .git CLI versions prior to 4.2.1 and all .git Cloud environments running the legacy webhook processor before the January 12, 2025 patch.

⚠ Immediate Action Required

If you are using .git CLI v4.2.0 or earlier, please update immediately to v4.2.1 or later. Cloud users are automatically protected as of Jan 12, 2025 at 09:00 UTC.

Technical Details

Vulnerability Description

The webhook configuration parser in lib/config/webhook-parser.js used an unsafe deep-merge utility that failed to sanitize object keys. By sending a crafted payload containing __proto__ or constructor.prototype keys, an attacker could modify the prototype of Object instances.

Specifically, injecting a role property into the prototype could cause subsequent configuration checks to incorrectly evaluate user permissions, granting elevated access.

json Malicious Payload Example

{
  "webhook": {
    "url": "https://attacker.example.com/hook",
    "events": ["push"],
    "__proto__": {
      "role": "admin"
    }
  }
}

Impact

Privilege Escalation: Attackers could potentially elevate standard user roles to administrative privileges in affected scopes.
Data Leakage: Injected properties could expose sensitive environment variables or repository metadata.
Service Disruption: Severe pollution could cause denial of service in the configuration service.

There is no evidence of exploitation in the wild. However, due to the critical nature of the impact, we are treating this as a high-priority patch.

Remediation

.git CLI Users

Update to the latest version immediately:

bash Terminal

# Update via npm
npm update -g @git/cli

# Verify version.
git --version
# Expected: .git CLI v4.2.1 or later

.git Cloud Users

All .git Cloud instances have been patched automatically. No action is required for cloud users. However, we recommend rotating any webhook secrets as a precautionary measure.

bash Rotate Webhook Secrets

# Regenerate webhook secret for a project
git webhook rotate --project <project-id>

# List active webhooks
git webhook list

✓ Verification

After updating, you can verify the patch by running git health check. A successful check will indicate no known security vulnerabilities.

Timeline

2025-01-10 14:32 UTC

Vulnerability reported by researcher via responsible disclosure program.

2025-01-10 16:15 UTC

.git security team confirms report and begins triage. Incident team assembled.

2025-01-11 09:00 UTC

Root cause identified. Fix developed and tested in isolation environment.

2025-01-12 02:00 UTC

Patch deployed to all .git Cloud regions.

2025-01-12 09:00 UTC

.git CLI v4.2.1 released. Public advisory published.

Acknowledgements

We sincerely thank Alex Chen (@0xd0ff) for responsibly reporting this vulnerability and working with our team to ensure a safe and coordinated release. Alex earned a reward through the .git Bug Bounty Program.

If you believe you have found a security vulnerability in .git, please report it to security@git.dev or via our Bug Bounty Program. We welcome responsible disclosure and offer rewards for valid reports.