SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-48384

CVE-2025-48384: Git-scm Git RCE Vulnerability via CRLF

CVE-2025-48384 is a remote code execution vulnerability in Git-scm Git caused by improper handling of carriage return characters in submodule paths. This article covers technical details, affected versions, and patches.

Updated:

CVE-2025-48384 Overview

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Critical Impact

Exploitation of this vulnerability may lead to unauthorized command execution on the affected systems.

Affected Products

  • git-scm git
  • debian debian_linux
  • apple xcode

Discovery Timeline

  • 2025-07-08 - CVE CVE-2025-48384 published to NVD
  • 2025-11-06 - Last updated in NVD database

Technical Details for CVE-2025-48384

Vulnerability Analysis

The vulnerability arises from the improper handling of trailing carriage return characters (CR) in submodule paths when Git is reading and writing configuration values. This can lead to incorrect submodule checkout paths when CRs are present, possibly executing unintended scripts if symlinks are exploited.

Root Cause

Improper handling of trailing CR characters when reading and writing config entries in Git.

Attack Vector

Network

bash
# Incorrect handling example
config_value="incorrect\
value"
echo $config_value > .git/config
# Reading the config later causes CR to be lost
cat .git/config

Detection Methods for CVE-2025-48384

Indicators of Compromise

  • Unintended script execution in submodules
  • Presence of unexpected symlinks in the repository
  • Suspicious modifications in .git/config

Detection Strategies

Monitor for changes in submodule paths that include carriage return characters. Use file integrity monitoring to detect unauthorized changes in .git/config.

Monitoring Recommendations

Implement continuous monitoring using SentinelOne XDR to detect anomalies in submodule management and script execution.

How to Mitigate CVE-2025-48384

Immediate Actions Required

  • Immediately upgrade Git to one of the patched versions: v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1
  • Review all Git config files for unexpected trailing CR characters
  • Remove or secure symlink paths pointing to unauthorized directories

Patch Information

Patched versions are available and should be implemented to resolve this vulnerability. Visit the Git Advisory for detailed patch notes.

Workarounds

Ensure all configuration and path settings are sanitized to remove trailing CR characters before use.

bash
# Configuration example to remove CR
sed -i 's/\r$//' .git/config

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne