CVE-2025-48064 is a vulnerability affecting GitHub Desktop, an open-source Electron-based application used for Git version control operations. The flaw exists in versions prior to 3.4.20-beta3 on Windows platforms. When a user views a file in a commit within the history view, GitHub Desktop internally calls Git commands such as `git log` or `git diff` with commit object IDs and file names. As part of its operation, Git attempts to resolve file paths fully using `realpath`, which traverses symbolic links to ensure paths remain within the repository directory. However, if a malicious commit contains file paths that resolve to network shares (UNC paths), Git will attempt to access these shares. On Windows, this triggers an automatic NTLM authentication attempt, leaking sensitive information including the computer name, the logged-in Windows username, and an NTLM hash. This exposure occurs without requiring elevated privileges but does require user interaction (viewing the malicious commit). macOS users are not affected due to differences in path resolution and authentication mechanisms. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information) and has a CVSS v3.1 score of 3.3 (low severity). The issue is fixed in GitHub Desktop version 3.4.20 and later, including the beta 3.4.20-beta3. Until patched, users are advised to only browse commits from trusted sources to avoid triggering the vulnerability. No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses a limited but non-negligible risk. The exposure of NTLM hashes and user/computer names could facilitate further lateral movement or credential replay attacks within corporate networks if an attacker can trick users into viewing malicious commits. While the initial impact is information disclosure only, leaked NTLM hashes can be used in relay or brute-force attacks to escalate privileges or access sensitive resources. Organizations with Windows-based developers using GitHub Desktop are at risk, especially if they handle code from untrusted or external contributors. The risk is mitigated by the low CVSS score and requirement for user interaction, but targeted attacks against software development teams or supply chain compromise scenarios could leverage this vulnerability to gain footholds in networks. The vulnerability does not affect macOS users, reducing the overall impact in mixed-OS environments. Since no known exploits are reported, the immediate threat level is low, but the potential for credential exposure warrants prompt remediation in sensitive environments.

1. Upgrade GitHub Desktop to version 3.4.20 or later as soon as possible to apply the official fix. 2. Until upgrading, restrict developers from viewing commits from untrusted or unknown sources in the history view to avoid triggering the vulnerability. 3. Implement network segmentation and monitoring to detect unusual NTLM authentication attempts or SMB traffic from developer workstations. 4. Enforce the use of multi-factor authentication (MFA) and strong credential policies to reduce the risk from leaked NTLM hashes. 5. Educate development teams about the risks of opening commits from unknown contributors and encourage verification of code sources. 6. Consider disabling automatic network share access or NTLM authentication on developer machines if feasible, using Group Policy or local security policies. 7. Monitor logs for suspicious authentication attempts that may indicate exploitation attempts.