Git vulnerability CVE-2025-48384 allows remote code execution

CVE-2025-48384 is a recently patched vulnerability in the widely used distributed revision control system Git, which is currently being exploited by attackers. The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of this flaw and added it to its Known Exploited Vulnerabilities catalog. This vulnerability arises from a mismatch in how Git reads and writes configuration values containing control characters. According to DataDog researchers, it can be exploited to create a malicious Git Hook script, leading to remote code execution (RCE) when executing commands like git commit and git merge. Attackers can craft a malicious .gitmodules file with submodule paths ending in a carriage return, allowing for malicious redirection of submodule contents and potentially leading to arbitrary writes across the filesystem.

Publicly disclosed on July 8, 2025, CVE-2025-48384 has been addressed in several fixed versions of Git, including v2.50.1 and earlier. Following the disclosure, DataDog researchers identified proof-of-concept exploits that had already begun circulating. The vulnerability can be easily exploited by creating malicious Git repositories that execute code upon cloning. Additionally, it can be used to overwrite a victim’s Git configuration file, enabling attackers to exfiltrate intellectual property, such as proprietary source code, without detection. Developers using macOS and Linux systems are urged to ensure their Git versions are up-to-date, while CISA has mandated that US federal civilian agencies mitigate this vulnerability by September 15, 2025. Users are also advised to avoid recursively cloning submodules from untrusted repositories.