The US cybersecurity agency CISA on Monday warned that a recent vulnerability in Git has been exploited in attacks, urging its immediate patching.
The flaw, tracked as CVE-2025-48384 (CVSS score of 8.1), is described as an arbitrary file write during the cloning of repositories with submodules that use a ‘recursive’ flag.
The issue exists because, when reading configuration values, Git strips trailing carriage return (CR) characters and does not quote them when writing.
Thus, the initialization of submodules with a path containing a trailing CR results in altered paths and in the submodule being checked out to an incorrect location.
“If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout,” Git’s advisory reads.
This allows attackers to manipulate internal submodule paths, which results in Git writing files to unexpected locations and initializing the submodules in these locations.
Shortly after the Git project released patches for CVE-2025-48384 on July 8, Datadog warned that proof-of-concept (PoC) code targeting the bug had been released.
“An attacker can craft a malicious .gitmodules file with submodule paths ending in a carriage return. Due to Git’s config parser behavior, this character may be stripped on read but preserved on write, allowing malicious redirection of submodule contents. When combined with symlinks or certain repository layouts, this can lead to arbitrary writes across the filesystem,” Datadog said.
The security firm warned that attackers can exploit the flaw by creating malicious repositories that, when cloned, would lead to remote code execution.
The vulnerability, however, only affects macOS and Linux systems. Differences in control character usage render Windows machines immune to the security defect. The issue was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
“This will largely affect software developers using Git on workstations to version control their code, but we have also identified usage of vulnerable Git versions in customer CI/CD build systems,” Datadog warned last month.
On Monday, CISA added CVE-2025-48384 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by September 15, as Binding Operational Directive (BOD) 22-01 mandates.
While BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV list and apply the recommended patches and mitigations for all the security defects it identifies.
There do not appear to be any public reports describing the attacks exploiting CVE-2025-48384.
Related: Apple Patches Zero-Day Exploited in Targeted Attacks
Related: New Exploit Poses Threat to SAP NetWeaver Instances
Related: Gen Z in the Crosshairs: Cybercriminals Shift Focus to Young, Digital-Savvy Workers
Related: Legitimate Shellter Pen-Testing Tool Used in Malware Attacks
