Security News > 2021 > December > 4-Year-Old Microsoft Azure Zero-Day Exposes Web App Source Code
The Microsoft Azure App Service has a four-year-old vulnerability that could reveal the source code of web apps written in PHP, Python, Ruby or Node, researchers said, that were deployed using Local Git.
The Azure App Service is a cloud computing-based platform for hosting websites and web applications.
Local Git meanwhile allows developers to initiate a local Git repository within the Azure App Service container in order to deploy code straight to the server.
The issue arises because when using Local Git, the Git folder is also uploaded and publicly accessible on unpatched systems; it's placed in the "/home/site/wwwroot" directory, which anyone could access.
Microsoft did originally deploy a mitigation, in the form of adding a "Web.config" file to the Git folder within the public directory that restricted public access; it turns out this is an incomplete fix though.
Users who deployed code via FTP or Web Deploy or Bash/SSH which resulted in files getting initialized in the web app before any git deployment;.
News URL
https://threatpost.com/microsoft-azure-zero-day-source-code/177270/
Related news
- Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server (source)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)
- Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach (source)
- Microsoft fixes Outlook on the web search issues, failures (source)
- Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach (source)
- Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws (source)
- Patch Tuesday: Microsoft fixes 5 actively exploited zero-days (source)