CVE-2025-48384 | Git allows arbitrary code execution through broken config quoting

Exp

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Published: 2025-07-08 Last update: 2025-11-06 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-48384 is rated Critical Active Threat (81.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.60%). CISA KEV confirms active exploitation (added 2025-08-25) affecting Git / Git. a weakness (CWE-436) Unauthenticated remote administrative access may be possible. The CISA remediation deadline has passed—treat as an emergency patch priority.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

CISA KEV Record for CVE-2025-48384

Name: Git Link Following Vulnerability · CISA KEV detail

Exploit added: 2025-08-25

Action due: 2025-09-15

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Exploit prediction scoring system (EPSS) score for CVE-2025-48384

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-24 0.48% 0.60% +0.12%
2 2026-05-22 0.62% 0.48% -0.14%
3 2026-05-04 0.62%

Full EPSS history (42 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-48384

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.0 3.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.3 6.0 [email protected]

Weakness enumeration for CVE-2025-48384

OS Trackers for CVE-2025-48384

vendor priority summary link
alpine high CVE-2025-48384: 1 source package rows (git); 91 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 5, open 86. https://security.alpinelinux.org/vuln/CVE-2025-48384
debian not yet assigned CVE-2025-48384 not yet assigned priority: Debian including 1 source packages (git), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2025-48384
gentoo high CVE-2025-48384: 1 GLSA(s) (202507-09), 1 atom(s) (dev-vcs/git); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2025-48384
redhat high https://access.redhat.com/security/cve/CVE-2025-48384
suse high CVE-2025-48384 severity important: SUSE including 153 source package names (0.0.17-1.1:git-core-2.51.0-150600.3.12.1, 0.1.6-1.2:git-2.51.0-150600.3.12.1, …), 349 product×package rows across 44 product lines (Container bci/kiwi, Container bci/spack, … (44 product lines)): Fixed 349. https://www.suse.com/security/cve/CVE-2025-48384/
ubuntu high CVE-2025-48384 high priority: Ubuntu including 1 source packages (git), 8 status rows across 8 suites (bionic, focal, jammy, noble, oracular, plucky, upstream, xenial): released 8. https://ubuntu.com/security/CVE-2025-48384

Affected software / configurations for CVE-2025-48384

Vendor Product Version Raw CPE
git-scm git < 2.43.7 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
git-scm git >= 2.44.0, < 2.44.4 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
git-scm git >= 2.45.0, < 2.45.4 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
git-scm git >= 2.46.0, < 2.46.4 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
git-scm git >= 2.47.0, < 2.47.3 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
git-scm git >= 2.48.0, < 2.48.2 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
git-scm git >= 2.49.0, < 2.49.1 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
git-scm git >= 2.50.0, < 2.50.1 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
apple xcode < 26.0 cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*

References for CVE-2025-48384

cvelogic Threat Intelligence