A significant security flaw has been identified in the Git Command Line Interface (CLI), designated as CVE-2025-48384, which allows attackers to perform arbitrary file writes on Linux and macOS systems. This vulnerability, assigned a Common Vulnerability Scoring System (CVSS) severity score of 8.1 out of 10, poses a substantial risk to developers and organizations relying on Git for version control.
Understanding CVE-2025-48384
The vulnerability arises from Git’s improper handling of configuration values and carriage return (`\r`) characters when parsing `.gitmodules` files on UNIX-like systems. Specifically, when an attacker crafts a malicious `.gitmodules` file with submodule paths ending in carriage return characters, Git’s configuration parser exhibits inconsistent behavior. During read operations, the carriage return character may be stripped, but it is preserved during write operations. This discrepancy allows attackers to redirect submodule contents to arbitrary locations on the filesystem.
Exploitation Mechanism
Attackers can exploit this flaw by creating a malicious repository containing a specially crafted `.gitmodules` file. When a user executes the `git clone –recursive` command to clone this repository, the vulnerability is triggered, enabling the attacker to write files to arbitrary locations on the victim’s system. This can lead to several malicious outcomes:
1. Injection of Malicious Git Hooks: Attackers can write malicious Git Hook scripts into the repository’s submodules. These scripts execute automatically during standard Git operations such as `git commit` and `git merge`, providing the attacker with persistent access to the compromised system.
2. Modification of Git Configuration: By overwriting the victim’s Git configuration file, attackers can alter the `[remote origin]` section. This modification can facilitate the stealthy exfiltration of sensitive data, including proprietary source code, to attacker-controlled servers.
Affected Systems
The vulnerability affects Git CLI installations on Linux and macOS platforms prior to the following patched versions:
– v2.43.7
– v2.44.4
– v2.45.4
– v2.46.4
– v2.47.3
– v2.48.2
– v2.49.1
– v2.50.1
Notably, Windows systems are not affected due to differences in how control characters are handled in non-UNIX-derived systems.
GitHub Desktop Vulnerability
The GitHub Desktop client for macOS is particularly susceptible to this vulnerability because it executes `git clone –recursive` operations by default. Users of GitHub Desktop on macOS should be especially vigilant and ensure they are using a patched version to mitigate this risk.
Proof-of-Concept Exploits
Security researchers have developed and publicly released proof-of-concept (PoC) exploits demonstrating the feasibility of this vulnerability. These PoCs illustrate how attackers can achieve arbitrary file writes to directories such as `/tmp`, underscoring the urgency for users to apply the necessary patches.
Mitigation Strategies
To protect against this vulnerability, users and organizations should take the following steps:
1. Update Git Installations: Ensure that Git installations are updated to one of the patched versions listed above. This update addresses the parsing inconsistency and prevents the exploitation of the vulnerability.
2. Exercise Caution with Untrusted Repositories: Avoid cloning repositories from untrusted sources, especially using the `–recursive` flag, which can trigger the vulnerability.
3. Monitor for Suspicious Activity: Regularly review Git configurations and hooks for unauthorized changes that may indicate compromise.
4. Use Alternative Clients: On macOS, consider using the Git CLI instead of GitHub Desktop until the latter has been updated to a secure version.
Conclusion
The discovery of CVE-2025-48384 highlights the critical importance of maintaining up-to-date software and exercising caution when interacting with external repositories. By promptly applying patches and adhering to best practices, developers and organizations can mitigate the risks associated with this vulnerability and safeguard their systems against potential exploitation.
