Cyber Resilience

CVE-2025-48384

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 July 2025

Published
08 July 2025
Modified
06 November 2025
KEV Added
25 August 2025
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0060 70.0th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48384 is a high-severity Link Following (CWE-59) vulnerability in Git-Scm Git. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 30.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

Git is affected by a configuration parsing inconsistency that occurs when submodule paths contain a trailing carriage return. The vulnerability stems from Git stripping CRLF characters on config reads while failing to quote trailing CR characters on writes, which causes an altered path to be used during submodule checkout. This can result in the submodule being placed at an unexpected location if a symlink redirects the mangled path to the hooks directory, allowing an executable post-checkout hook to run.

An attacker who can supply or influence a malicious .gitmodules file or repository configuration can exploit the flaw to achieve arbitrary code execution on a victim's system during submodule initialization. The attack requires the victim to perform a submodule update against attacker-controlled content and succeeds when a symlink and executable hook are present at the altered path, yielding high-impact outcomes under the reported CVSS vector.

The referenced Git security advisory and distribution lists state that the issue is resolved in versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1; users should upgrade and avoid initializing submodules from untrusted sources until patched. The CVE appears in the CISA known exploited vulnerabilities catalog, indicating confirmed in-the-wild exploitation, while the current EPSS score of 0.0060 remains low.

EU & UK References

Vulnerability details

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF).…

more

When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

CWE(s)
KEV Date Added
25 August 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vulnerability enables arbitrary code execution via malicious post-checkout hook in Git submodule after path manipulation; requires victim user interaction to init/update submodule from crafted repo config.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24201Same product: Debian Debian Linuxboth on KEV
CVE-2026-24061Same product: Debian Debian Linuxboth on KEV
CVE-2025-27363Same product: Debian Debian Linuxboth on KEV
CVE-2025-38352Same product: Debian Debian Linuxboth on KEV
CVE-2023-5631Same product: Debian Debian Linuxboth on KEV
CVE-2025-6558Same product: Debian Debian Linuxboth on KEV
CVE-2026-34621Same vendor: Appleboth on KEV
CVE-2025-24813Same product: Debian Debian Linuxboth on KEV
CVE-2025-60710Shared CWE-59both on KEV
CVE-2025-43529Same vendor: Appleboth on KEV

Affected Assets

git-scm
git
≤ 2.43.7 · 2.44.0 — 2.44.4 · 2.45.0 — 2.45.4
debian
debian linux
11.0
apple
xcode
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the Git flaw in config and submodule path handling to prevent path alteration and unintended hook execution.

detect

Vulnerability scanning detects systems running vulnerable Git versions affected by the config parsing issue.

preventdetect

Malicious code protection scans and blocks the executable post-checkout hook delivered through the exploited submodule.

References