CVE-2025-27613 is an OS command injection vulnerability classified under CWE-78 affecting the j6t gitk tool, a Tcl/Tk based Git history browser. The vulnerability exists in gitk versions starting from 1.7.0 up to various patched versions prior to 2.43.7 and subsequent minor releases. The issue arises when a user clones an untrusted Git repository and runs gitk without additional command-line arguments. Specifically, if the 'Support per-file encoding' option has been enabled in gitk's Preferences (which is disabled by default), the application may create or truncate files for which the user has write permissions. Additionally, invoking the 'Show origin of this line' feature in the main window triggers the same behavior regardless of the encoding option's state. This improper neutralization of special elements used in OS commands can lead to unintended file modifications, potentially allowing an attacker to alter files on the victim's system. The vulnerability requires local access to run gitk on a cloned repository and user interaction to trigger the vulnerable functionality. The CVSS 3.1 base score is 3.6 (low severity), reflecting local attack vector, low complexity, no privileges required, but requiring user interaction and resulting in integrity impact without confidentiality or availability loss. No known exploits in the wild have been reported. The issue has been fixed in gitk versions 2.43.7 and later patch releases.

For European organizations, the impact of this vulnerability is primarily on developers and users who utilize gitk to browse Git history, especially when working with untrusted repositories. The vulnerability could allow an attacker to manipulate files on the user's system, potentially leading to code tampering, insertion of malicious code, or disruption of development workflows. While the impact is limited to integrity and does not affect confidentiality or availability, the risk is heightened in environments where developers frequently clone external or third-party repositories without strict validation. This could lead to supply chain risks or compromise of development environments. Since exploitation requires user interaction and local execution, the threat is more relevant to individual developer workstations rather than automated CI/CD pipelines or servers. European organizations with large software development teams or open-source contributors may face increased exposure, particularly if gitk is part of their toolchain and users enable the vulnerable preferences or features.

Organizations should ensure that all instances of gitk are updated to the patched versions 2.43.7 or later. As a practical measure, users should avoid enabling the 'Support per-file encoding' option unless necessary and exercise caution when using the 'Show origin of this line' feature, especially with repositories from untrusted sources. Development teams should implement policies to restrict cloning of untrusted repositories or perform repository validation before use. Additionally, endpoint protection solutions can be configured to monitor and alert on unexpected file modifications initiated by gitk processes. Training developers to recognize the risks of running GUI tools on untrusted code and enforcing least privilege principles on developer workstations will further reduce risk. Finally, integrating automated scanning of developer tools and environments for outdated versions can help maintain compliance with security updates.