CVE-2025-46334 is an OS command injection vulnerability classified under CWE-78 affecting the j6t git-gui tool on Windows platforms. Git-gui provides a graphical interface to Git SCM tools and invokes executables such as sh.exe or textconv filter programs (e.g., astextplain) when users select Git Bash or Browse Files from the menu. Due to the Tcl interpreter's design on Windows, the search path for executables includes the current directory, which is atypical and insecure. This behavior allows a malicious Git repository to include crafted versions of these executables in its directory. When the user interacts with the GUI and triggers these commands, the malicious executables run with the user's privileges, leading to arbitrary code execution. The vulnerability affects multiple versions of git-gui prior to 2.43.7 and various subsequent minor versions before their respective patches. The CVSS v3.1 score is 8.6 (high severity), reflecting local attack vector, low complexity, no privileges required, user interaction needed, and a scope change with high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of publication. The vulnerability is mitigated by updating to patched versions starting from 2.43.7 and later incremental patches.

For European organizations, this vulnerability poses a significant risk especially for software development teams using git-gui on Windows. Successful exploitation allows attackers to execute arbitrary code with the user's privileges, potentially leading to data theft, unauthorized system modifications, or disruption of development environments. This can compromise source code integrity, leak sensitive intellectual property, and disrupt business operations. Since the attack requires user interaction (selecting Git Bash or Browse Files), social engineering or malicious repository distribution could be used to trigger the exploit. Organizations with distributed development teams or those relying on open-source repositories are particularly vulnerable. The impact extends to supply chain security, as malicious repositories could be crafted to exploit this flaw. Given the high CVSS score, the vulnerability could facilitate lateral movement within networks if exploited on developer machines connected to corporate infrastructure.

European organizations should immediately identify all instances of j6t git-gui running on Windows and verify their versions. All affected versions prior to 2.43.7 and the specified intermediate versions should be upgraded to the latest patched releases (2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.1). Additionally, organizations should implement strict controls on repository sources, ensuring only trusted repositories are cloned or used. User education is critical to prevent interaction with untrusted repositories or suspicious GUI options. Employ endpoint protection solutions capable of detecting anomalous execution of unexpected binaries in development directories. Consider restricting execution permissions on repository directories to prevent execution of unauthorized binaries. Monitoring and alerting on unusual process creation events related to git-gui or sh.exe can help detect exploitation attempts. Finally, incorporate this vulnerability into supply chain risk assessments and secure software development lifecycle (SDLC) practices.