- Status Closed
-
Assigned To
cbay - Private
Opened by Vinit - 12.01.2026
Last edited by cbay - 12.01.2026
FS#286 - Public Exposure of .git Repository Leads to Source Code Disclosure
Date: 12-01-2026
Researcher: Vinit Mevada
Severity: High - Critical
Hello alwaysdata Team,
I hope you are doing well. While performing a security assessment of your application, I identified a potential security issue related to the public exposure of the .git directory. Due to improper server configuration, the .git repository is accessible without authentication, which may lead to sensitive information disclosure.
Impact:
An attacker can download the complete Git repository, including source code and commit history.
Sensitive information such as configuration details, credentials, or API keys (if present in commits) can be exposed.
Access to source code enables attackers to analyze application logic and identify further vulnerabilities.
Disclosure of internal development information can result in intellectual property loss and increase the overall attack surface.
Steps to Reproduce:
Open a web browser.
Navigate to the following endpoint:
https://security.alwaysdata.com/.git/config
Observe that the .git directory or its internal files are accessible without authentication.
A screenshot of the accessible endpoint has been attached for reference.
email to contact - vinitharsh20@gmail.com
Screenshot 2026-01-12 192600....
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
7_7
7_7
config.items
dump_app