Code Execution Risk in Git Due to Submodule Path Handling
CVE-2025-48384

8.1HIGH

Key Information:

Vendor

Git

Status
Git
Vendor
CVE Published:
8 July 2025

Badges

📈 Score: 232👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-48384?

CVE-2025-48384 is a code execution vulnerability in Git, a widely used distributed version control system essential for managing source code in software development. This vulnerability arises from the way Git handles configuration values, particularly in relation to submodule paths. When Git processes configuration, it inadvertently strips trailing carriage return and line feed characters, leading to the potential alteration of specified submodule paths. If a path containing a trailing carriage return is incorrectly read, it can result in the submodule being initialized in an unintended location. This situation creates a security risk where, if a symlink to the altered path exists and the submodule has an executable post-checkout hook, that script could potentially run without explicit user consent. The implications of such unintended execution can severely compromise the integrity of systems utilizing Git, as malicious code could be executed within the context of the user's environment.

Potential impact of CVE-2025-48384

  1. Unauthorized Code Execution: The primary risk associated with CVE-2025-48384 is the potential for unauthorized execution of arbitrary code. Malicious actors could manipulate submodule paths, leading to executable code launching without user knowledge, which could compromise the security of development environments and production systems.

  2. Supply Chain Compromise: By exploiting this vulnerability, attackers can insert malicious code into legitimate projects through submodules, effectively posing a threat to the integrity of the software supply chain. This could result in the distribution of compromised software to broader user bases, amplifying the vulnerability's impact.

  3. Operational Disruption: The execution of unintended scripts may disrupt normal operations, leading to downtime or unexpected behavior in software applications. Such disruptions can hinder development workflows and impact the stability of applications, causing financial and reputational damage to organizations.

Affected Version(s)

git < 2.43.7 < 2.43.7

git >= 2.44.0-rc0, < 2.44.4 < 2.44.0-rc0, 2.44.4

git >= 2.45.0-rc0, < 2.45.4 < 2.45.0-rc0, 2.45.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-48384
Created by acheong08

CVE-2025-48384
Created by liamg

CVE-2025-48384
Created by fishyyh

News Articles

favicon imageArctic Wolf

PoC Available for High-Severity Arbitrary File Write in Git CLI I Arctic Wolf

On 8 July, 2025, the Git project released new versions of Git to address CVE-2025-48384, a high-severity vulnerability allowing threat actors to create malicious git repositories that unexpectedly run code when being cloned.

1 month ago

favicon imageArctic Wolf

PoC Available for High-Severity Arbitrary File Write in Git CLI I Arctic Wolf

On July 8, 2025, the Git project released new versions of Git to address CVE-2025-48384, a high-severity vulnerability allowing threat actors to create malicious git repositories that unexpectedly run code when being cloned.

1 month ago

References

https://github.com/git/git/security/advisories/GHSA-vwqx-...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • 📰

    First article discovered by Arctic Wolf

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.