Critical Git RCE Flaw (CVE-2025-48384) Actively Exploited by Attackers
▼ Summary
– CVE-2025-48384 is a vulnerability in Git that allows remote code execution via maliciously crafted submodule paths containing control characters.
– The flaw stems from a mismatch in how Git reads versus writes configuration values, enabling attackers to redirect submodule contents and achieve arbitrary filesystem writes.
– Exploitation is confirmed in the wild, with proof-of-concept exploits already available and attacks being tracked by CISA.
– Users must update Git to fixed versions (v2.50.1 and others) and avoid recursively cloning submodules from untrusted repositories to mitigate risk.
– CISA has mandated US federal agencies to patch the vulnerability by September 15, 2025, due to its active exploitation.
A newly identified vulnerability in Git, designated as CVE-2025-48384, is now under active exploitation, posing a serious threat to developers and organizations relying on the widely used version control system. The flaw allows attackers to execute arbitrary code on affected systems, making immediate patching essential for anyone using Git on macOS or Linux environments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially confirmed that this vulnerability is being exploited in the wild. In response, the agency added the flaw to its Known Exploited Vulnerabilities catalog, mandating that all federal civilian agencies apply mitigations by September 15, 2025.
This security issue arises from an inconsistency in how Git handles configuration values containing control characters. According to researchers, the problem occurs when reading and writing these values, specifically, carriage return characters may be removed during read operations but retained during writes. This discrepancy enables malicious actors to craft a specially designed `.gitmodules` file that redirects submodule content in harmful ways.
By exploiting this behavior, an attacker can force the installation of a malicious Git hook script. This script executes automatically during routine Git operations such as `git commit` or `git merge`, leading to remote code execution. The consequences are severe: attackers can gain control over the victim’s system, access sensitive data, or maintain persistent access without detection.
Fixed versions of Git were released on July 8, 2025, including v2.50.1, v2.49.1, v2.48.2, v2.47.3, v2.46.4, v2.45.4, v2.44.4, and v2.43.7. Shortly after the patch release, functional proof-of-concept exploits began circulating, confirming that the vulnerability is both real and readily weaponized.
What makes this flaw particularly dangerous is its ease of exploitation. Attackers can create a malicious repository that triggers code execution as soon as it is cloned. Additionally, the vulnerability can be used to overwrite a user’s Git configuration file, enabling stealthy exfiltration of proprietary source code or other intellectual property. These actions often go unnoticed, allowing attackers to operate undetected for extended periods.
Developers and system administrators are urged to verify that their Git installations are updated to a patched version immediately. This is especially critical for macOS users, who should ensure they are not relying on the outdated version bundled with Command Line Tools. Organizations should also audit their CI/CD pipelines, as build systems may still be using vulnerable Git versions.
As a best practice, users should avoid recursively cloning submodules from untrusted repositories, as this can serve as an initial attack vector. Staying informed through reliable cybersecurity alerts is also recommended, as threat landscapes evolve rapidly.
(Source: HelpNet Security)
