Full Report
A vulnerability has been discovered in Git, which could allow for remote code execution. Git is a free and open-source distributed version control system (VCS). It is designed to track changes in source code during software development and is widely used for coordinating work among multiple developers on the same project. Successful exploitation of this vulnerability could allow an attacker to write a malicious Git Hook script, resulting in remote code execution (RCE) whenever subcommands like git commit and git merge are run.
Analysis Summary
# Vulnerability: Git Remote Code Execution via Malicious .gitmodules File
## CVE Details
- CVE ID: CVE-2025-48384
- CVSS Score: Not explicitly provided, but implied **HIGH** risk due to RCE and being added to CISA's KEV catalog.
- CWE: Not explicitly listed, but related to Input Validation/Arbitrary File Write.
## Affected Systems
- Products: Git (version control system)
- Versions: Versions prior to v2.50.1, v2.49.1, v2.48.2, v2.47.3, v2.46.4, v2.45.4, v2.44.4, and v2.43.7
- Configurations: Anytime Git subcommands that process configuration (like `git commit` or `git merge`) are run on a malicious repository.
## Vulnerability Description
The vulnerability resides in how Git parses the `.gitmodules` file. An attacker can craft a malicious `.gitmodules` file containing submodule paths that end with a carriage return character. While this character might be stripped upon read operations, it is preserved during write operations. This manipulation can lead to arbitrary writes across the filesystem when combined with specific repository layouts or symlinks. Successful exploitation allows an attacker to write a malicious Git Hook script, leading to Remote Code Execution (RCE) upon execution of subsequent Git subcommands (e.g., `git commit`, `git merge`). This falls under the MITRE ATT&CK Tactic **Initial Access (TA0001)** and Technique **Exploit Public-Facing Application (T1190)**.
## Exploitation
- Status: **PoC available**. CISA has added this to its Known Exploited Vulnerabilities catalog.
- Complexity: Implied **Medium** (requires crafting a specific payload and leveraging repository layouts/symlinks).
- Attack Vector: Network (when cloning or pulling the malicious repository).
## Impact
- Confidentiality: High (leading to RCE)
- Integrity: High (arbitrary file write leading to RCE)
- Availability: High (system compromise)
## Remediation
### Patches
- Apply updates to Git versions: **v2.50.1**, **v2.49.1**, **v2.48.2**, **v2.47.3**, **v2.46.4**, **v2.45.4**, **v2.44.4**, or **v2.43.7** (or newer). (Updates address the parser behavior issue).
### Workarounds
- No specific workarounds are listed in the source document other than immediate patching or updating software.
- General mitigations mentioned include enabling anti-exploitation features (DEP, WDEG, SIP, Gatekeeper).
## Detection
- Indicators of compromise: The presence of unexpected or newly created files in Git Hook directories or unauthorized arbitrary file writes occurring upon standard Git operations (`commit`, `merge`).
- Detection methods and tools: Implement vulnerability scanning (authenticated and unauthenticated, quarterly or more frequent) and ensure vulnerability management processes are robust.
## References
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48384
- Help Net Security: https://www.helpnetsecurity.com/2025/08/26/git-vulnerability-exploited-cve-2025-48384/