CVE-2025-48385
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-08

Last updated on: 2025-11-04

Assigner: GitHub, Inc.

Description
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-08
Last Modified
2025-11-04
Generated
2026-05-06
AI Q&A
2025-07-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-48385
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
git git 2.44.4
git git 2.50.0
git git 2.50.1
git git 2.46.4
git git 2.47.3
git git 2.45.4
git git 2.43.7
git git 2.49.1
git git 2.48.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Git involves insufficient validation of advertised bundles when cloning a repository. Git can fetch bundles from a remote server to offload parts of the clone to a CDN. However, the client does not properly validate these bundles, allowing a malicious remote server to perform protocol injection. This can cause the client to write the fetched bundle to a location controlled by the attacker, potentially leading to arbitrary code execution. The vulnerability requires certain conditions, such as control over the clone destination or recursive clones with submodules, and can be mitigated by disabling recursive clones or updating Git to fixed versions.


How can this vulnerability impact me? :

This vulnerability can allow an attacker controlling a remote Git server to execute arbitrary code on the client machine by injecting malicious protocol data and causing the client to write and execute code from a location controlled by the attacker. This can compromise the security and integrity of the affected system, potentially leading to unauthorized access, data loss, or system compromise.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should disable recursive clones to avoid cases where an adversary controls the clone location, and ensure that the bundle.heuristic config option is set to disable the use of bundle URIs. Additionally, update Git to one of the fixed versions: v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart