{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-48384", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-19T15:46:00.397Z", "datePublished": "2025-07-08T18:23:48.710Z", "dateUpdated": "2025-07-08T18:35:31.021Z"}, "containers": {"cna": {"title": "Git allows arbitrary code execution through broken config quoting", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"}], "affected": [{"vendor": "git", "product": "git", "versions": [{"version": "< 2.43.7", "status": "affected"}, {"version": ">= 2.44.0-rc0, < 2.44.4", "status": "affected"}, {"version": ">= 2.45.0-rc0, < 2.45.4", "status": "affected"}, {"version": ">= 2.46.0-rc0, < 2.46.4", "status": "affected"}, {"version": ">= 2.47.0-rc0, < 2.47.3", "status": "affected"}, {"version": ">= 2.48.0-rc0, < 2.48.2", "status": "affected"}, {"version": ">= 2.49.0-rc0, < 2.49.1", "status": "affected"}, {"version": ">= 2.50.0-rc0, < 2.50.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-08T18:23:48.710Z"}, "descriptions": [{"lang": "en", "value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1."}], "source": {"advisory": "GHSA-vwqx-4fm8-6qc9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-08T18:35:15.366171Z", "id": "CVE-2025-48384", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-08T18:35:31.021Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48384", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-08T18:35:15.366171Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-08T18:35:20.601Z"}}], "cna": {"title": "Git allows arbitrary code execution through broken config quoting", "source": {"advisory": "GHSA-vwqx-4fm8-6qc9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "< 2.43.7"}, {"status": "affected", "version": ">= 2.44.0-rc0, < 2.44.4"}, {"status": "affected", "version": ">= 2.45.0-rc0, < 2.45.4"}, {"status": "affected", "version": ">= 2.46.0-rc0, < 2.46.4"}, {"status": "affected", "version": ">= 2.47.0-rc0, < 2.47.3"}, {"status": "affected", "version": ">= 2.48.0-rc0, < 2.48.2"}, {"status": "affected", "version": ">= 2.49.0-rc0, < 2.49.1"}, {"status": "affected", "version": ">= 2.50.0-rc0, < 2.50.1"}]}], "references": [{"url": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9", "name": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-08T18:23:48.710Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48384", "state": "PUBLISHED", "dateUpdated": "2025-07-08T18:35:31.021Z", "dateReserved": "2025-05-19T15:46:00.397Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-08T18:23:48.710Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1."}, {"lang": "es", "value": "Git es un sistema de control de versiones distribuido, r\u00e1pido y escalable, con un conjunto de comandos excepcionalmente completo que proporciona operaciones de alto nivel y acceso completo a su funcionamiento interno. Al leer un valor de configuraci\u00f3n, Git elimina cualquier retorno de carro y avance de l\u00ednea (CRLF) final. Al escribir una entrada de configuraci\u00f3n, los valores con un CR final no se entrecomillan, lo que provoca que el CR se pierda al leer la configuraci\u00f3n posteriormente. Al inicializar un subm\u00f3dulo, si la ruta del subm\u00f3dulo contiene un CR final, se lee la ruta modificada, lo que provoca que el subm\u00f3dulo se extraiga a una ubicaci\u00f3n incorrecta. Si existe un enlace simb\u00f3lico que apunta la ruta modificada al directorio de ganchos del subm\u00f3dulo, y este contiene un gancho ejecutable posterior a la extracci\u00f3n, el script podr\u00eda ejecutarse accidentalmente despu\u00e9s de la extracci\u00f3n. Esta vulnerabilidad se ha corregido en v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 y v2.50.1."}], "id": "CVE-2025-48384", "lastModified": "2025-07-10T13:18:53.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-08T19:15:42.800", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "git: Git arbitrary code execution", "id": "2378806", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2378806"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "(CWE-436|CWE-59)", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-48384", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2025-07-08T18:23:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-48384\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-48384\nhttps://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384\nhttps://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89\nhttps://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"], "statement": "This vulnerability marked as Important\u2014not just a Moderate flaw\u2014because it undermines Git\u2019s path and config integrity by allowing carriage return (\\r) injection to manipulate submodule checkout behavior. Git previously failed to quote config values containing trailing CR, causing the value to be misinterpreted when read back. In the context of submodules, this leads to incorrect path resolution, allowing an attacker to redirect the checkout path via a symlink to a sensitive directory like .git/modules/<submodule>/hooks. If an executable post-checkout hook exists there, it could be inadvertently executed, resulting in arbitrary code execution during submodule operations. This is particularly dangerous in automated CI/CD pipelines or multi-repo projects where submodules are initialized or updated without manual inspection.", "threat_severity": "Important"}