CISA Warns of Critical Git Flaw Under Active Exploitation
▼ Summary
– CISA warns of hackers exploiting a high-severity vulnerability (CVE-2025-48384) in Git’s handling of carriage return characters in configuration files.
– The flaw allows arbitrary code execution when users clone malicious repositories with crafted submodules and symlinks.
– Git has released patches in multiple versions (2.43.7 through 2.50.1) and recommends avoiding untrusted recursive submodule clones if updating isn’t possible.
– CISA also added two medium-severity Citrix Session Recording vulnerabilities (CVE-2024-8068 and CVE-2024-8069) to its KEV catalog, which allow privilege escalation and limited remote code execution.
– Federal agencies and organizations must apply patches for both Git and Citrix vulnerabilities by September 15th or discontinue using affected products.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an urgent warning regarding active exploitation of a critical vulnerability in the Git version control system. This high-severity flaw, which allows arbitrary code execution, has been added to CISA’s Known Exploited Vulnerabilities catalog, with federal agencies required to apply patches by September 15th.
Git serves as the foundation for modern collaborative software development, underpinning widely used platforms like GitHub, GitLab, and Bitbucket. The vulnerability, tracked as CVE-2025-48384, stems from improper handling of carriage return characters within configuration files. A discrepancy in how Git writes and reads these characters leads to incorrect submodule path resolution.
Attackers can weaponize this flaw by creating repositories containing submodules that end with a carriage return character, combined with a malicious symbolic link. When users clone these repositories, the setup triggers arbitrary code execution on their systems. Git developers identified the issue on July 8, 2025, and released patches across multiple versions, including 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
For organizations unable to update immediately, mitigation strategies include avoiding recursive submodule clones from untrusted sources, disabling Git hooks globally via the core.hooksPath setting, or enforcing the use of only pre-audited submodules.
In the same update, CISA also flagged two medium-severity vulnerabilities in Citrix Session Recording, CVE-2024-8068 and CVE-2024-8069, both patched by the vendor in November 2024. The first allows authenticated users within the same Active Directory domain to escalate privileges to the NetworkService account. The second enables limited remote code execution with the same privileges through deserialization of untrusted data.
These Citrix flaws impact multiple versions of Session Recording, including releases prior to specific hotfixes in the 2407, 1912 LTSR, 2203 LTSR, and 2402 LTSR branches. CISA has set the same September 15th deadline for applying Citrix-provided fixes or discontinuing use of affected products.
(Source: Bleeping Computer)
