Code Execution Risk in Git Due to Submodule Path Handling
CVE-2025-48384
Key Information:
Badges
What is CVE-2025-48384?
CVE-2025-48384 is a code execution vulnerability in Git, a widely used distributed version control system essential for managing source code in software development. This vulnerability arises from the way Git handles configuration values, particularly in relation to submodule paths. When Git processes configuration, it inadvertently strips trailing carriage return and line feed characters, leading to the potential alteration of specified submodule paths. If a path containing a trailing carriage return is incorrectly read, it can result in the submodule being initialized in an unintended location. This situation creates a security risk where, if a symlink to the altered path exists and the submodule has an executable post-checkout hook, that script could potentially run without explicit user consent. The implications of such unintended execution can severely compromise the integrity of systems utilizing Git, as malicious code could be executed within the context of the user's environment.
Potential impact of CVE-2025-48384
-
Unauthorized Code Execution: The primary risk associated with CVE-2025-48384 is the potential for unauthorized execution of arbitrary code. Malicious actors could manipulate submodule paths, leading to executable code launching without user knowledge, which could compromise the security of development environments and production systems.
-
Supply Chain Compromise: By exploiting this vulnerability, attackers can insert malicious code into legitimate projects through submodules, effectively posing a threat to the integrity of the software supply chain. This could result in the distribution of compromised software to broader user bases, amplifying the vulnerability's impact.
-
Operational Disruption: The execution of unintended scripts may disrupt normal operations, leading to downtime or unexpected behavior in software applications. Such disruptions can hinder development workflows and impact the stability of applications, causing financial and reputational damage to organizations.
CISA has reported CVE-2025-48384
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-48384 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
git < 2.43.7 < 2.43.7
git >= 2.44.0-rc0, < 2.44.4 < 2.44.0-rc0, 2.44.4
git >= 2.45.0-rc0, < 2.45.4 < 2.45.0-rc0, 2.45.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles

CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git
CISA adds Citrix and Git flaws to KEV after active exploitation; agencies must patch by Sept 15, 2025.
5 days ago

PoC Available for High-Severity Arbitrary File Write in Git CLI I Arctic Wolf
On 8 July, 2025, the Git project released new versions of Git to address CVE-2025-48384, a high-severity vulnerability allowing threat actors to create malicious git repositories that unexpectedly run code when being cloned.

PoC Available for High-Severity Arbitrary File Write in Git CLI I Arctic Wolf
On July 8, 2025, the Git project released new versions of Git to address CVE-2025-48384, a high-severity vulnerability allowing threat actors to create malicious git repositories that unexpectedly run code when being cloned.
References
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 📰
First article discovered by Arctic Wolf
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved