Cyber Posture

CVE-2025-48384

HighCISA KEVActive Exploitation

Published: 08 July 2025

Published
08 July 2025
Modified
06 November 2025
KEV Added
25 August 2025
Patch
CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0060 69.6th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48384 is a high-severity Link Following (CWE-59) vulnerability in Git-Scm Git. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 30.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and patching of the Git flaw in config and submodule path handling to prevent path alteration and unintended hook execution.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning detects systems running vulnerable Git versions affected by the config parsing issue.

SI-3 Malicious Code Protection partial match
preventdetect

Malicious code protection scans and blocks the executable post-checkout hook delivered through the exploited submodule.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Vulnerability enables arbitrary code execution via malicious post-checkout hook in Git submodule after path manipulation; requires victim user interaction to init/update submodule from crafted repo config.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF).…

more

When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Deeper analysisAI

CVE-2025-48384 affects Git, a fast, scalable, distributed revision control system. The vulnerability stems from Git's config value handling: trailing carriage return and line feed (CRLF) characters are stripped when reading configs, but values with a trailing carriage return (CR) are not quoted when writing, causing the CR to be lost on subsequent reads. During submodule initialization, a path with a trailing CR results in an altered path being used, leading to the submodule being checked out to an incorrect location. If a symlink exists from this altered path to the submodule's hooks directory and the submodule contains an executable post-checkout hook, the hook may execute unintentionally after checkout. The issue is rated 8.0 on CVSS 3.1 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) and maps to CWE-59 and CWE-436.

Exploitation requires an attacker with low privileges, such as a repository collaborator who can contribute a malicious config. The attacker crafts a submodule path with a trailing CR in the config, along with a symlink pointing the resulting altered path to the submodule's hooks directory containing a malicious executable post-checkout hook. A victim must interact by initializing or updating the submodule (UI:R), enabling network-based attacks (AV:N) despite high complexity (AC:H). Successful exploitation executes arbitrary code with high impacts on confidentiality, integrity, and availability, with changed scope due to elevated privileges in the checkout process.

Git security advisories and patches address the issue by fixing the config handling and submodule path processing in versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. Mitigation guidance in the GitHub advisory (GHSA-vwqx-4fm8-6qc9), OSS-Security and Full Disclosure mailing lists, Debian LTS announcements, and CISA's Known Exploited Vulnerabilities catalog recommends immediate updates to patched versions and caution with untrusted repositories containing submodules.

The vulnerability's presence in CISA's KEV catalog points to real-world exploitation activity.

Details

CWE(s)
CWE-59CWE-436
KEV Date Added
25 August 2025

Affected Products

git-scm
git
≤ 2.43.7 · 2.44.0 — 2.44.4 · 2.45.0 — 2.45.4
debian
debian linux
11.0
apple
xcode
≤ 26.0

CVEs Like This One

CVE-2025-24201Same product: Debian Debian Linuxboth on KEV
CVE-2025-27363Same product: Debian Debian Linuxboth on KEV
CVE-2025-38352Same product: Debian Debian Linuxboth on KEV
CVE-2026-24061Same product: Debian Debian Linuxboth on KEV
CVE-2025-6558Same product: Debian Debian Linuxboth on KEV
CVE-2026-34621Same vendor: Appleboth on KEV
CVE-2025-24813Same product: Debian Debian Linuxboth on KEV
CVE-2025-60710Shared CWE-59both on KEV
CVE-2025-43300Same vendor: Appleboth on KEV
CVE-2025-43510Same vendor: Appleboth on KEV

References