The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a high-severity vulnerability in Git, identified as CVE-2025-48384. This flaw allows attackers to perform arbitrary file writes by exploiting Git’s improper handling of carriage return (CR) characters in configuration files. The vulnerability has been actively exploited, highlighting the immediate need for mitigation measures.
Understanding CVE-2025-48384
CVE-2025-48384 arises from Git’s inconsistent processing of trailing carriage return characters in configuration files such as `.git/config`. When reading configuration values, Git strips trailing CR and line feed (LF) characters. However, when writing a configuration entry that ends with a CR, Git fails to quote the value properly, resulting in the loss of the CR upon re-reading. This behavior can be exploited during submodule initialization.
For instance, if a submodule path ends with a CR character, Git’s reading process alters the intended path. If a symbolic link (symlink) named after the altered path points to the `.git/hooks` directory, an attacker can place a malicious `post-checkout` hook into the hooks directory. Upon checkout, this hook executes arbitrary code with the user’s privileges, enabling arbitrary file writes across the filesystem.
Impact and Risk Factors
This vulnerability poses significant risks, particularly to Continuous Integration/Continuous Deployment (CI/CD) pipelines and automated build systems. The ability to execute arbitrary code during repository cloning can lead to unauthorized code execution, data tampering, or supply chain compromises within critical software development lifecycles.
Affected Products:
– Git versions up to and including 2.50.0, as well as maintenance tracks 2.43.7 through 2.49.1.
Impact:
– Arbitrary file writes or code execution.
Exploit Prerequisites:
– Cloning an untrusted repository containing a submodule with a path ending in a CR character.
CVSS 3.1 Score:
– 8.0 (High)
Mitigation Strategies
CISA strongly recommends that organizations apply the following mitigations without delay:
1. Update Git Versions:
– Upgrade to Git version 2.50.1 or later.
– For older maintenance tracks, update to the latest patched versions:
– 2.43.7
– 2.44.4
– 2.45.4
– 2.46.4
– 2.47.3
– 2.48.2
– 2.49.1
– These updates are available at the official kernel.org repositories.
2. Implement Binding Operational Directive (BOD) 22-01 Controls:
– For cloud-based development environments, enforce patching or disable vulnerable Git installations centrally.
3. Disable Git Submodule Initialization:
– If immediate patching is not feasible, disable Git submodule initialization.
– Remove the `.git/hooks/post-checkout` script from CI/CD runners and developer workstations.
Urgency and Compliance
Organizations are urged to prioritize this vulnerability, ensuring patches are deployed by September 15, 2025, the official due date for remediation. Failure to address CVE-2025-48384 could result in severe security breaches, including unauthorized code execution and data tampering.
Conclusion
The active exploitation of CVE-2025-48384 underscores the critical need for immediate action. By promptly updating Git installations and implementing the recommended mitigations, organizations can protect their development environments from potential attacks.
