CISA has issued a high-severity warning for CVE-2025-48384, a link-following vulnerability in Git that allows arbitrary file writes through misconfigured carriage return dealing with in configuration recordsdata.
This flaw has already seen lively exploitation, underscoring the crucial want for fast mitigation.
Key Takeaways1. CVE-2025-48384 lets attackers abuse CR dealing with in Git configs to jot down arbitrary recordsdata.2. It endangers CI/CD and construct methods.3. Improve and apply BOD 22-01 controls.
Git Arbitrary File Write Vulnerability
CVE-2025-48384 arises from Git’s inconsistent dealing with of trailing carriage return (CR) characters in .git/config and different configuration entries. When Git reads a config worth, it strips any trailing CR and line feed (LF) characters.
Nonetheless, when writing a config entry that ends with a CR, Git doesn’t quote the worth, inflicting the CR to be misplaced after re-read. This conduct might be abused throughout submodule initialization:
On this case, Git strips r on learn, altering the meant path (e.g., payload as a substitute of payloadr). If a symlink named payload factors to .git/hooks, a cloned repository can place an attacker-controlled post-checkout hook into the hooks listing.
Upon checkout, this hook executes arbitrary code with the consumer’s privileges, permitting arbitrary file writes anyplace on the filesystem.
This flaw is cataloged underneath CWE-59 (Hyperlink Following) and CWE-436 (Interpretation of Trusted Enter).
Though no direct hyperlink to ransomware campaigns has been confirmed, the potential for chain-loading malicious hooks makes this vulnerability exceptionally harmful in automated construct and CI/CD pipelines.
Threat FactorsDetailsAffected ProductsGit variations ≤ 2.50.0 (together with upkeep tracks 2.43.7–2.49.1) EImpactArbitrary file writes or code executionExploit PrerequisitesClone an untrusted repository containing a submodule whose path ends with rCVSS 3.1 Score8.0 (Excessive)
Mitigations
CISA advises organizations to use fixes as detailed by Git maintainers and distributors directly.
Replace Git to model 2.50.1 (and subsequent patches on older upkeep tracks 2.43.7 by means of 2.49.1) obtainable on the official kernel.org repositories.
For cloud-based growth environments, implement Binding Operational Directive (BOD) 22-01 controls to implement patching or disable susceptible Git installations centrally.
If fast patching will not be possible, disable Git submodule initialization or take away the .git/hooks/post-checkout script from CI/CD runners and developer workstations.
All organizations are urged to deal with this vulnerability with pressing precedence, guaranteeing patches are deployed by September 15, 2025, the official due date for remediation.
Failure to handle CVE-2025-48384 might lead to unauthorized code execution, information tampering, or supply-chain compromise inside crucial software program growth lifecycles.
Discover this Story Fascinating! Observe us on LinkedIn and X to Get Extra Immediate Updates.
