Git config CRLF issue allows unintended submodule hook exec (v2.43+)
CVE-2025-48384 Published on July 8, 2025
Git allows arbitrary code execution through broken config quoting
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Known Exploited Vulnerability
This Git Link Following Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.
The following remediation steps are recommended / required by September 15, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2025-48384 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
Interpretation Conflict
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.
What is an insecure temporary file Vulnerability?
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CVE-2025-48384 has been classified to as an insecure temporary file vulnerability or weakness.
Products Associated with CVE-2025-48384
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-48384 are published in these products:
Affected Versions
git:- Version < 2.43.7 is affected.
- Version >= 2.44.0-rc0, < 2.44.4 is affected.
- Version >= 2.45.0-rc0, < 2.45.4 is affected.
- Version >= 2.46.0-rc0, < 2.46.4 is affected.
- Version >= 2.47.0-rc0, < 2.47.3 is affected.
- Version >= 2.48.0-rc0, < 2.48.2 is affected.
- Version >= 2.49.0-rc0, < 2.49.1 is affected.
- Version >= 2.50.0-rc0, < 2.50.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.