Vulnerability CVE-2025-48384: Information

Description

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Severity: HIGH (8.0)
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2025-48384
Published: July 8, 2025
Modified: Nov. 6, 2025
Error type identifier: CWE-59CWE-436

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
gitsisyphus2.50.1-alt12.50.1-alt1ALT-PU-2025-9093-3379199Fixed
gitsisyphus_e2k2.50.1-alt12.50.1-alt1ALT-PU-2025-10768-1-Fixed
gitsisyphus_riscv642.50.1-alt12.50.1-alt1ALT-PU-2025-9180-1-Fixed
gitsisyphus_loongarch642.50.1-alt12.50.1-alt1ALT-PU-2025-9130-1-Fixed
gitp112.50.1-alt12.50.1-alt1ALT-PU-2025-9420-3390129Fixed
gitp102.50.1-alt12.50.1-alt1ALT-PU-2025-10893-3393262Fixed
gitp10_e2k2.50.1-alt12.50.1-alt1ALT-PU-2025-11710-1-Fixed
gitc10f22.50.1-alt12.50.1-alt1ALT-PU-2025-9642-3390731Fixed
gitc9f22.50.1-alt12.50.1-alt1ALT-PU-2025-9640-3390732Fixed
gitlab-runnersisyphus18.10.1-alt118.10.1-alt1ALT-PU-2026-5804-1414439Fixed
gitlab-runnersisyphus_riscv6418.10.1-alt118.10.1-alt1ALT-PU-2026-5845-1-Fixed
gitlab-runnersisyphus_loongarch6418.10.1-alt118.10.1-alt1ALT-PU-2026-5913-1-Fixed
gitlab-runnerc10f218.10.1-alt118.10.1-alt1ALT-PU-2026-5808-2414452Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
  • Vendor Advisory
http://seclists.org/fulldisclosure/2025/Sep/60
  • Mailing List
  • Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/07/08/4
  • Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html
  • Mailing List
  • Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384
  • US Government Resource
BDU:2025-08691
      1. cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
        End excluding
        2.43.7
        cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
        Start including
        2.44.0
        End excluding
        2.44.4
        cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
        Start including
        2.45.0
        End excluding
        2.45.4
        cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
        Start including
        2.46.0
        End excluding
        2.46.4
        cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
        Start including
        2.47.0
        End excluding
        2.47.3
        cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
        Start including
        2.48.0
        End excluding
        2.48.2
        cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
        Start including
        2.49.0
        End excluding
        2.49.1
        cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
        Start including
        2.50.0
        End excluding
        2.50.1
        cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
        cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
        End excluding
        26.0
    VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
    Version: v26.2.2
    Back to top