4 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Git arbitrary file write leading to unintended hook execution
CVSS Score: 8.0
Identifier: CVE-2025-48384
Exploit or POC: Yes – added to CISA Known Exploited Vulnerabilities
Update: CVE-2025-48384 – NVD summary and fixed versions
Description:
CVE-2025-48384 is a vulnerability in Git’s handling of carriage return characters in configuration values. A submodule path crafted with a trailing CR can be misinterpreted when written/read back, causing Git to check out the submodule to an altered location. If that altered location is symlinked to the submodule’s hooks directory and the submodule contains an executable post-checkout hook, the hook may execute after checkout. This is primarily a client-side risk triggered when cloning untrusted repositories with submodules (e.g., recursive clones), and is especially relevant for CI/CD runners that act as Git clients. Fixes are available in Git versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. Linux/macOS environments are most impacted; Windows Git is not affected by this specific issue.
Mitigation Recommendation:
Patching is currently the only method of mitigation. Update Git to one of the fixed versions listed in the NVD entry for CVE-2025-48384. For build systems and CI/CD environments:
Avoid cloning untrusted repositories with “--recursive” until patched.
Harden runners/agents and restrict their network/file-system permissions.
Monitor for unexpected hook execution following clones.
Review CISA KEV guidance and apply organizational SLAs for KEV items.
