Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by Devansh811 - 05.01.2026
Last edited by cbay - 05.01.2026

Hello Security Team,

I would like to responsibly disclose a security issue identified on your website.

Affected URL:
https://security.alwaysdata.com/.git/config

It appears that the .git directory is publicly accessible. This allows unauthenticated users to retrieve Git configuration files, indicating an exposed Git repository on the web server.

Issue Overview:
Public access to the .git directory exposes Git metadata such as repository configuration and structure. In some scenarios, this may allow an attacker to reconstruct the entire source repository and discover sensitive information (e.g., internal paths, credentials, remote URLs, or configuration history).

Impact:
An exposed .git directory may allow an attacker to:

Access the source code or intellectual property of the application

Discover internal file paths, branches, and historical changes

Potentially identify sensitive data such as keys or credentials if present

Facilitate additional targeted attacks or exploit development

Severity:
High

Suggested Remediation:

Block public access to the .git directory using server configuration (e.g., web server rules)

Remove the .git directory from the web root in production environments

Confirm that only necessary files are deployed in public‑facing assets

This disclosure is submitted in good faith and does not involve destructive testing.

Please let me know if you need any further information.

Kind regards,
Devansh Chauhan
Security Researcher
LinkedIn: https://www.linkedin.com/in/devansh-chauhan-b36b6a1b1/