CVE-2025-27613

Published: Jul 10, 2025

Modified: Nov 4, 2025

PUBLISHED

CVSS v3.1

3.6

LOW

Description

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Vendor	Product	Versions
j6t	gitk	affected `>= 1.7.0, < 2.43.7` affected `>= 2.44.0, < 2.44.4` affected `>= 2.45.0, < 2.45.4` affected `>= 2.46.0, < 2.46.4` affected `>= 2.47.0, < 2.47.3` +3 more versions

Weaknesses (CWE)

CWE-78

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/j6t/gitk/security/advisories/GHSA-f3cw-xrj3-wr2v

x_refsource_CONFIRM

https://github.com/j6t/gitk/compare/465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5

x_refsource_MISC

https://github.com/j6t/gitk/compare/7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-27613

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References