CVE-2025-48384

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-48384
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

8.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 Vendor Advisory
http://seclists.org/fulldisclosure/2025/Sep/60 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/07/08/4 Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html Mailing List Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 US Government Resource
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
History

06 Nov 2025, 14:52

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2025/07/08/4 - () http://www.openwall.com/lists/oss-security/2025/07/08/4 - Mailing List

04 Nov 2025, 22:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/07/08/4 -

04 Nov 2025, 14:50

Type Values Removed Values Added
First Time Apple
Debian debian Linux
Debian
Apple xcode
CPE cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
References () http://seclists.org/fulldisclosure/2025/Sep/60 - () http://seclists.org/fulldisclosure/2025/Sep/60 - Mailing List, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html - Mailing List, Third Party Advisory

03 Nov 2025, 19:16

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2025/Sep/60 -

03 Nov 2025, 18:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html -

24 Oct 2025, 13:58

Type Values Removed Values Added
References () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 - () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 - US Government Resource

21 Oct 2025, 23:17

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 -

21 Oct 2025, 20:20

Type Values Removed Values Added
References
  • {'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}

21 Oct 2025, 19:21

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 -

26 Aug 2025, 14:45

Type Values Removed Values Added
CPE cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
First Time Git-scm git
Git-scm
References () https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 - () https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 - Vendor Advisory

10 Jul 2025, 13:18

Type Values Removed Values Added
Summary
  • (es) Git es un sistema de control de versiones distribuido, rápido y escalable, con un conjunto de comandos excepcionalmente completo que proporciona operaciones de alto nivel y acceso completo a su funcionamiento interno. Al leer un valor de configuración, Git elimina cualquier retorno de carro y avance de línea (CRLF) final. Al escribir una entrada de configuración, los valores con un CR final no se entrecomillan, lo que provoca que el CR se pierda al leer la configuración posteriormente. Al inicializar un submódulo, si la ruta del submódulo contiene un CR final, se lee la ruta modificada, lo que provoca que el submódulo se extraiga a una ubicación incorrecta. Si existe un enlace simbólico que apunta la ruta modificada al directorio de ganchos del submódulo, y este contiene un gancho ejecutable posterior a la extracción, el script podría ejecutarse accidentalmente después de la extracción. Esta vulnerabilidad se ha corregido en v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 y v2.50.1.

08 Jul 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-08 19:15

Updated : 2025-11-06 14:52

NVD link : CVE-2025-48384

Mitre link : CVE-2025-48384

CVE.ORG link : CVE-2025-48384

JSON object : View

Products Affected

debian

  • debian_linux

apple

  • xcode

git-scm

  • git
CWE
CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-436

Interpretation Conflict