CVE-2025-48384 Overview
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Critical Impact
Exploitation of this vulnerability may lead to unauthorized command execution on the affected systems.
Affected Products
- git-scm git
- debian debian_linux
- apple xcode
Discovery Timeline
- 2025-07-08 - CVE CVE-2025-48384 published to NVD
- 2025-11-06 - Last updated in NVD database
Technical Details for CVE-2025-48384
Vulnerability Analysis
The vulnerability arises from the improper handling of trailing carriage return characters (CR) in submodule paths when Git is reading and writing configuration values. This can lead to incorrect submodule checkout paths when CRs are present, possibly executing unintended scripts if symlinks are exploited.
Root Cause
Improper handling of trailing CR characters when reading and writing config entries in Git.
Attack Vector
Network
# Incorrect handling example
config_value="incorrect\
value"
echo $config_value > .git/config
# Reading the config later causes CR to be lost
cat .git/config
Detection Methods for CVE-2025-48384
Indicators of Compromise
- Unintended script execution in submodules
- Presence of unexpected symlinks in the repository
- Suspicious modifications in .git/config
Detection Strategies
Monitor for changes in submodule paths that include carriage return characters. Use file integrity monitoring to detect unauthorized changes in .git/config.
Monitoring Recommendations
Implement continuous monitoring using SentinelOne XDR to detect anomalies in submodule management and script execution.
How to Mitigate CVE-2025-48384
Immediate Actions Required
- Immediately upgrade Git to one of the patched versions: v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1
- Review all Git config files for unexpected trailing CR characters
- Remove or secure symlink paths pointing to unauthorized directories
Patch Information
Patched versions are available and should be implemented to resolve this vulnerability. Visit the Git Advisory for detailed patch notes.
Workarounds
Ensure all configuration and path settings are sanitized to remove trailing CR characters before use.
# Configuration example to remove CR
sed -i 's/\r$//' .git/config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
