CVE-2025-48384
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-08

Last updated on: 2025-11-06

Assigner: GitHub, Inc.

Description
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-08
Last Modified
2025-11-06
Generated
2026-05-07
AI Q&A
2025-07-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-48384
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
debian debian_linux 11.0
git-scm git to 2.43.7 (exc)
git-scm git From 2.44.0 (inc) to 2.44.4 (exc)
git-scm git From 2.45.0 (inc) to 2.45.4 (exc)
git-scm git From 2.46.0 (inc) to 2.46.4 (exc)
git-scm git From 2.47.0 (inc) to 2.47.3 (exc)
git-scm git From 2.48.0 (inc) to 2.48.2 (exc)
git-scm git From 2.49.0 (inc) to 2.49.1 (exc)
git-scm git From 2.50.0 (inc) to 2.50.1 (exc)
apple xcode to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Git involves how it handles trailing carriage return characters (CR) in configuration values and submodule paths. When a submodule path contains a trailing CR, Git reads an altered path, causing the submodule to be checked out to an incorrect location. If a symbolic link exists that points this altered path to the submodule hooks directory, and the submodule has an executable post-checkout hook, this hook script may be unintentionally executed after checkout.


How can this vulnerability impact me? :

The vulnerability can lead to unintended execution of scripts (post-checkout hooks) due to submodules being checked out to incorrect locations. This could potentially allow an attacker to execute arbitrary code with the privileges of the user running Git, impacting confidentiality, integrity, and availability of the system.


What immediate steps should I take to mitigate this vulnerability?

Update Git to one of the fixed versions: v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1 to mitigate this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart