CVE-2025-48384

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-48384
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

8.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 Vendor Advisory
http://seclists.org/fulldisclosure/2025/Sep/60 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/07/08/4
https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html Mailing List Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 US Government Resource
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
History

04 Nov 2025, 22:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/07/08/4 -

04 Nov 2025, 14:50

Type Values Removed Values Added
First Time Apple
Debian debian Linux
Apple xcode
Debian
CPE cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
References () http://seclists.org/fulldisclosure/2025/Sep/60 - () http://seclists.org/fulldisclosure/2025/Sep/60 - Mailing List, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html - Mailing List, Third Party Advisory

03 Nov 2025, 19:16

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2025/Sep/60 -

03 Nov 2025, 18:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html -

24 Oct 2025, 13:58

Type Values Removed Values Added
References () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 - () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 - US Government Resource

21 Oct 2025, 23:17

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 -

21 Oct 2025, 20:20

Type Values Removed Values Added
References
  • {'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}

21 Oct 2025, 19:21

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 -

26 Aug 2025, 14:45

Type Values Removed Values Added
First Time Git-scm git
Git-scm
CPE cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
References () https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 - () https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 - Vendor Advisory

10 Jul 2025, 13:18

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-08 19:15

Updated : 2025-11-04 22:16

NVD link : CVE-2025-48384

Mitre link : CVE-2025-48384

CVE.ORG link : CVE-2025-48384

JSON object : View

Products Affected

git-scm

  • git

debian

  • debian_linux

apple

  • xcode
CWE
CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-436

Interpretation Conflict