Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-48385

CVE-2025-48385: Git Bundle URI RCE Vulnerability

CVE-2025-48385 is a remote code execution flaw in Git that exploits bundle URI validation, allowing attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2025-48385 Overview

CVE-2025-48385 is a protocol injection vulnerability in Git, the widely-used distributed version control system. The vulnerability exists in the bundle URI feature, which allows servers to offload parts of a repository clone operation to a CDN. When cloning a repository, Git fails to perform sufficient validation of advertised bundles from the remote server, enabling an attacker controlling the server to inject malicious protocol commands. This can cause the Git client to write fetched bundle content to an attacker-controlled location, potentially leading to arbitrary code execution.

Critical Impact

This vulnerability allows remote attackers to achieve arbitrary code execution on systems performing Git clone operations against malicious repositories. The attack requires user interaction but can be exploited without any privileges.

Affected Products

  • Git versions prior to v2.43.7
  • Git versions v2.44.x prior to v2.44.4
  • Git versions v2.45.x prior to v2.45.4
  • Git versions v2.46.x prior to v2.46.4
  • Git versions v2.47.x prior to v2.47.3
  • Git versions v2.48.x prior to v2.48.2
  • Git versions v2.49.x prior to v2.49.1
  • Git version v2.50.0

Discovery Timeline

  • July 8, 2025 - CVE-2025-48385 published to NVD
  • November 4, 2025 - Last updated in NVD database

Technical Details for CVE-2025-48385

Vulnerability Analysis

This vulnerability is classified under CWE-73 (External Control of File Name or Path), indicating that an external party can influence file paths used by the application. The bundle URI feature in Git is designed to improve clone performance by allowing remote servers to advertise pre-packaged bundles that clients can fetch from alternative sources such as CDNs.

The vulnerability arises because the Git client does not adequately validate the bundle URIs advertised by the remote server during the clone operation. A malicious server can craft specially designed bundle advertisements that exploit this insufficient validation to inject protocol commands. This injection allows the attacker to control where the fetched bundle content is written on the victim's file system.

Since the content of the fetched bundle is fully controlled by the malicious server, an attacker can write arbitrary data to locations of their choosing. In the most severe scenarios, this can result in arbitrary code execution on the victim's machine, particularly if the written content overwrites or introduces executable code in predictable locations.

Root Cause

The root cause of this vulnerability is insufficient input validation in Git's bundle URI handling logic. When the Git client receives bundle URI advertisements from a remote server, it fails to properly sanitize and validate these URIs before using them in file operations. This allows protocol injection attacks where the attacker can manipulate the file path destination for downloaded bundles.

Attack Vector

The attack is network-based and requires user interaction, specifically requiring a victim to clone a repository controlled by the attacker. The vulnerability can be exploited in two primary scenarios:

  1. Direct Clone Attack: An attacker convinces a user to clone a malicious repository. This requires social engineering to direct the victim to the attacker-controlled repository.

  2. Recursive Submodule Attack: For more sophisticated attacks, the adversary can leverage recursive clones with submodules. If a legitimate-looking repository contains a submodule pointing to a malicious repository, the attack can execute when the victim performs a recursive clone.

The bundle URI feature is not enabled by default and is controlled by the bundle.heuristic configuration option. However, organizations that have enabled this feature for performance optimization are at risk.

The attack does not require authentication or prior access to the victim's system. The attacker only needs to host a malicious Git repository and entice the victim to clone it.

Detection Methods for CVE-2025-48385

Indicators of Compromise

  • Unexpected files appearing in directories outside the intended repository clone location
  • Git clone operations that write to system directories or other sensitive file paths
  • Unusual network traffic to unknown CDN endpoints during repository clone operations
  • Evidence of bundle fetches from untrusted or unfamiliar URIs in Git operation logs

Detection Strategies

  • Monitor Git client operations for unusual file write patterns, especially writes outside expected repository directories
  • Implement network monitoring to detect Git clone operations that connect to suspicious or unexpected bundle URIs
  • Review Git configuration files across systems for unexpected bundle.heuristic settings
  • Deploy endpoint detection to identify post-exploitation activity following suspicious clone operations

Monitoring Recommendations

  • Enable verbose logging for Git operations in development and CI/CD environments to capture bundle URI activity
  • Implement alerting on file system writes that occur during Git clone operations to unexpected paths
  • Audit CI/CD pipelines for recursive clone operations that could introduce submodule-based attacks
  • Monitor for execution of newly written files following Git clone operations

How to Mitigate CVE-2025-48385

Immediate Actions Required

  • Upgrade Git to the patched versions: v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1
  • Audit Git configuration across all systems and disable the bundle.heuristic option if not required
  • Disable recursive clones in automated systems and CI/CD pipelines until patching is complete
  • Review recent clone operations from untrusted sources for signs of compromise

Patch Information

Security patches addressing this vulnerability have been released by the Git project. The fixed versions include v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. Organizations should update to the appropriate patched version for their release branch.

For detailed information about the security fix, refer to the GitHub Security Advisory and the OpenWall OSS-Security Discussion.

Workarounds

  • Disable the bundle URI feature by setting git config --global bundle.heuristic false
  • Avoid cloning repositories from untrusted sources until patches are applied
  • Disable recursive cloning by omitting the --recurse-submodules flag or setting git config --global submodule.recurse false
  • Implement network-level controls to restrict Git bundle downloads to approved CDN endpoints only
bash
# Disable bundle URI feature globally
git config --global bundle.heuristic false

# Disable recursive submodule cloning globally
git config --global submodule.recurse false

# Verify the configuration changes
git config --global --list | grep -E "(bundle|submodule)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne