CVE-2025-48384
Published: 08 July 2025
Summary
CVE-2025-48384 is a high-severity Link Following (CWE-59) vulnerability in Git-Scm Git. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 30.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
Git is affected by a configuration parsing inconsistency that occurs when submodule paths contain a trailing carriage return. The vulnerability stems from Git stripping CRLF characters on config reads while failing to quote trailing CR characters on writes, which causes an altered path to be used during submodule checkout. This can result in the submodule being placed at an unexpected location if a symlink redirects the mangled path to the hooks directory, allowing an executable post-checkout hook to run.
An attacker who can supply or influence a malicious .gitmodules file or repository configuration can exploit the flaw to achieve arbitrary code execution on a victim's system during submodule initialization. The attack requires the victim to perform a submodule update against attacker-controlled content and succeeds when a symlink and executable hook are present at the altered path, yielding high-impact outcomes under the reported CVSS vector.
The referenced Git security advisory and distribution lists state that the issue is resolved in versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1; users should upgrade and avoid initializing submodules from untrusted sources until patched. The CVE appears in the CISA known exploited vulnerabilities catalog, indicating confirmed in-the-wild exploitation, while the current EPSS score of 0.0060 remains low.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20677
Vulnerability details
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF).…
more
When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
- CWE(s)
- KEV Date Added
- 25 August 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary code execution via malicious post-checkout hook in Git submodule after path manipulation; requires victim user interaction to init/update submodule from crafted repo config.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of the Git flaw in config and submodule path handling to prevent path alteration and unintended hook execution.
Vulnerability scanning detects systems running vulnerable Git versions affected by the config parsing issue.
Malicious code protection scans and blocks the executable post-checkout hook delivered through the exploited submodule.