The US cybersecurity company CISA on Monday warned {that a} current vulnerability in Git has been exploited in assaults, urging its fast patching.
The flaw, tracked as CVE-2025-48384 (CVSS rating of 8.1), is described as an arbitrary file write in the course of the cloning of repositories with submodules that use a ‘recursive’ flag.
The problem exists as a result of, when studying configuration values, Git strips trailing carriage return (CR) characters and doesn’t quote them when writing.
Thus, the initialization of submodules with a path containing a trailing CR leads to altered paths and within the submodule being checked out to an incorrect location.
“If a symlink exists that factors the altered path to the submodule hooks listing, and the submodule incorporates an executable post-checkout hook, the script could also be unintentionally executed after checkout,” Git’s advisory reads.
This enables attackers to govern inside submodule paths, which ends up in Git writing information to surprising areas and initializing the submodules in these areas.
Shortly after the Git venture launched patches for CVE-2025-48384 on July 8, Datadog warned that proof-of-concept (PoC) code concentrating on the bug had been launched.
“An attacker can craft a malicious .gitmodules file with submodule paths ending in a carriage return. On account of Git’s config parser conduct, this character could also be stripped on learn however preserved on write, permitting malicious redirection of submodule contents. When mixed with symlinks or sure repository layouts, this will result in arbitrary writes throughout the filesystem,” Datadog mentioned.Commercial. Scroll to proceed studying.
The safety agency warned that attackers can exploit the flaw by creating malicious repositories that, when cloned, would result in distant code execution.
The vulnerability, nonetheless, solely impacts macOS and Linux techniques. Variations in management character utilization render Home windows machines proof against the safety defect. The problem was resolved in Git variations 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and a pair of.50.1.
“This may largely have an effect on software program builders utilizing Git on workstations to model management their code, however now we have additionally recognized utilization of susceptible Git variations in buyer CI/CD construct techniques,” Datadog warned final month.
On Monday, CISA added CVE-2025-48384 to its Recognized Exploited Vulnerabilities (KEV) catalog, urging federal companies to patch it by September 15, as Binding Operational Directive (BOD) 22-01 mandates.
Whereas BOD 22-01 solely applies to federal companies, all organizations are suggested to evaluation CISA’s KEV listing and apply the really helpful patches and mitigations for all the safety defects it identifies.
There don’t look like any public stories describing the assaults exploiting CVE-2025-48384.
Associated: Apple Patches Zero-Day Exploited in Focused Assaults
Associated: New Exploit Poses Risk to SAP NetWeaver Situations
Associated: Gen Z within the Crosshairs: Cybercriminals Shift Focus to Younger, Digital-Savvy Employees
Associated: Respectable Shellter Pen-Testing Software Utilized in Malware Assaults
