CVE-2025-48384 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-07-08

Added to CISA KEV: 2025-08-25 48 DAYS BETWEEN CVE AND KEV

⚠️ CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity before patching
Update Git to patched versions immediately (v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1)
Educate developers about risks of cloning untrusted repositories with --recursive flag
HIGH patch priority due to CISA KEV listing and active exploitation

CVE-2025-48384 is a high-severity vulnerability in Git that allows for arbitrary code execution upon cloning a Git repository ^[1].

Here's what is known about its exploitation:

Internet-facing applications or services: Successful exploitation could allow a remote attacker to execute arbitrary code upon cloning a Git repository ^[1]. The vulnerability can be triggered by cloning repositories with submodules that use a ```recursive``` flag ^[2].

Evidence of active exploitation in the wild: CISA and other sources confirm that CVE-2025-48384 is being actively exploited by attackers ^[3]^[4].

Attack vectors and exploitation methods: The vulnerability stems from Git's mishandling of carriage return characters in submodule paths during initialization ^[5]^[6]. An attacker can exploit this by creating a malicious Git repository containing a crafted ```.gitmodules``` file. When a user clones this repository with the ```--recursive``` option, Git incorrectly parses the submodule paths, leading to the execution of a post-checkout hook and, ultimately, arbitrary code execution ^[5]^[7].

Targeted attacks: There is no specific information available regarding whether CVE-2025-48384 has been used in targeted attacks.

CISA Known Exploited Vulnerabilities (KEV) status: CISA added CVE-2025-48384 to its KEV catalog on August 25, 2025, with a remediation deadline of September 15, 2025, for U.S. federal agencies ^[3]^[8]. This means that CISA has determined that this vulnerability is being actively exploited in the wild and poses a significant risk ^[9].

Technical details about internet exploitability: The vulnerability allows arbitrary file write and, ultimately, code execution on Linux and macOS systems when using ```git clone --recursive``` on a weaponized repository ^[7]. When reading a config value, Git strips any trailing carriage return and line feed (CRLF) ^[10].

Exploitation of Git Vulnerability CVE-2025-48384 - NHS Digital
Successful exploitation could allow a remote attacker to execute arbitrary code upon cloning a Git repository. CVE-2025-48384 stems from ...
Organizations Warned of Exploited Git Vulnerability
The US cybersecurity agency CISA on Monday warned that a recent vulnerability in Git has been exploited in attacks, urging its immediate patching. The flaw, tracked as CVE-2025-48384 (CVSS score of 8.1), is described as an arbitrary file write during the cloning of repositories with submodules that…
Root - CVE-2025-48384: Critical Git Vulnerability Actively Exploited
Root Security Bulletin: CVE-2025-48384 – Critical Git Vulnerability Actively Exploited. Date: August 26, 2025 Severity: High (CVSS v3.1 Score: 8.0). Overview.Technical Details. The vulnerability arises from an inconsistency in Git's configuration parsing logic…
Git vulnerability leading to RCE is being exploited by attackers (CVE ...
CVE-2025-48384, a recently patched vulnerability in the popular distributed revision control system Git, is being exploited by attackers.
CVE-2025-48384 | SOCRadar Labs CVE Radar - SOCRadar
Description. CVE-2025-48384 describes a vulnerability in Git related to the handling of trailing carriage return characters in submodule paths during initialization . This can lead to a scenario where a post-checkout hook is unintentionally executed, potentially allowing malicious code execution.

🟢 CVE-2025-48384