Exploitation of Git Vulnerability CVE-2025-48384

Successful exploitation could allow a remote attacker to execute arbitrary code upon cloning a Git repository

Threat ID:: CC-4696
Threat Severity:: Medium
Published:: 27 August 2025 1:59 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Successful exploitation could allow a remote attacker to execute arbitrary code upon cloning a Git repository

Affected platforms

The following platforms are known to be affected:

git

Please see GitHub Security Advisory GHSA-vwqx-4fm8-6qc9 for a list of affected Git versions.

Threat details

Exploitation of CVE-2025-48384

CVE-2025-48384 has been observed being exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. The NHS England National CSOC assesses further exploitation as likely.

Introduction

In July, a security update for Git was released to address a high severity arbitrary code execution vulnerability (CVE-2025-48384). The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-48384 to the Known Exploited Vulnerabilities (KEV) Catalog.

CVE-2025-48384 - Git Allows Arbitrary Code Execution Through Broken Config Quoting - CVSSv3 score: 8.1

Remediation advice

Affected organisations are encouraged to review GHSA-vwqx-4fm8-6qc9 for a list of fixed versions, and apply the relevant updates as soon as possible.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-48384

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Last edited: 27 August 2025 1:59 pm