CVE-2024-45301 MEDIUM

CVE-2024-45301: ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability

Vendor Mintty

Product mintty

Weakness CWE-20 · Input validation

Published November 12, 2025

Last update November 12, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Mintty is a terminal emulator for Cygwin, MSYS, and WSL. In versions 2.3.6 through 3.7.4, several escape sequences can cause the mintty process to access a file in a specific path. It is triggered by simply printing them out on bash. An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. An attacker can use password cracking tools or NetNTLMv2 hashes to Pass the Hash. Version 3.7.5 fixes the issue.

Key dates

02Disclosure timeline

November 12, 2025 CVE published

November 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-45301 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2024-45301: ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability

01Description

02Disclosure timeline

03References

04Related CVE