CVE-2025-48384

What is Git?

Git is the world's most widely used distributed version control system, created by Linus Torvalds in 2005. It is the foundation of virtually every modern software development workflow: developers clone repositories, manage branches, and collaborate via hosting platforms like GitHub, GitLab, and Bitbucket. Git ships pre-installed on macOS, is bundled with development tools like Xcode and Visual Studio, and is a near-universal dependency of CI/CD pipelines and developer workstations.

Because git clone is a routine, low-friction operation — often the first step when evaluating open-source projects or onboarding to a new repository — it represents an unusually attractive attack surface. A vulnerability triggered by cloning a malicious repository can compromise developer machines at the moment of discovery, before any additional code is run.

Overview

CVE-2025-48384 is a link following (CWE-59) vulnerability in Git's configuration file handling. A read/write inconsistency in how Git processes carriage return (\r) characters allows an attacker to craft a malicious repository where a submodule path is written to .git/config as one value but read back as a different one. By placing a symlink at the altered path, the attacker can redirect Git's file writes into .git/hooks/, causing Git to automatically execute attacker-supplied hook scripts — achieving remote code execution at the moment of git clone --recursive.

The vulnerability affects Linux and macOS only. Windows filesystems reject filenames containing carriage return characters, blocking the exploit chain at the OS level.

Affected Versions

All Git releases on UNIX-like systems prior to these patched versions are vulnerable. Products bundling Git — including Apple Xcode and various Linux distribution packages — required separate updates from their respective vendors.

Technical Details

The root cause is a write/read semantic mismatch in config.c, Git's configuration file handler.

The write side (write_pair()): When writing a key-value pair to a config file, Git checks whether the value needs to be quoted — for example, values containing ; or # are wrapped in double quotes to prevent misinterpretation. However, the pre-patch code did not include carriage return (\r) in the set of characters requiring quoting. A submodule path containing a trailing \r was written literally into .git/config, with no escaping.

The read side (config parser): When reading a config file line, Git strips trailing CR/LF characters before returning the value. A stored path of subdir/foo\r is returned as subdir/foo — a different string entirely.

The exploit chain:

1. Attacker creates a repository with a .gitmodules file where a submodule path has a trailing carriage return: path = subdir/foo^M
2. Victim runs git clone --recursive <malicious-repo>
3. Git validates the submodule path from .gitmodules (it passes safety checks as subdir/foo\r)
4. Git writes the path unquoted into .git/modules/foo/config
5. On the next read, the CR is stripped — the effective path becomes subdir/foo
6. The attacker pre-places a symlink at subdir/foo pointing to .git/hooks/
7. Git checks out the submodule's content into what it thinks is subdir/foo but is actually .git/hooks/ via the symlink
8. The submodule contains an executable post-checkout script
9. Git automatically runs post-checkout — arbitrary code executes under the victim's account

A secondary exploitation path uses the same file-write primitive to overwrite .git/config itself, silently redirecting the repository's remote origin to an attacker-controlled server and enabling source code exfiltration disguised as normal Git activity.

The one-line fix adds '\r' to the quoting check in write_pair():

if (value[i] == ';' || value[i] == '#' || value[i] == '\r')
    quote = "\"";

This ensures carriage return characters are preserved through write-read cycles as escaped sequences inside quoted strings, breaking the exploit chain. The patch commit is 05e9cd64ee in the Git repository.

Relationship to CVE-2024-32002: This vulnerability uses the same conceptual attack (submodule confusion → hook execution) as CVE-2024-32002, which exploited filesystem case-sensitivity differences. CVE-2025-48384 is a distinct variant using CR-stripping instead of case folding, discovered through the same line of audit work.

Discovery

David Leadbeater (dgl) discovered this vulnerability during a security audit of Git sponsored by G-Research Open Source. The same audit produced six additional CVEs disclosed on the same day (CVE-2025-48385, CVE-2025-48386, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835). Leadbeater published a detailed technical write-up titled "Breaking Git with a carriage return and cloning RCE" at dgl.cx. The patch was written by Justin Tobler and committed by Taylor Blau.

Exploitation Context

Active in-the-wild exploitation was confirmed by CISA on August 25, 2025 — approximately seven weeks after the July 8 public disclosure.

Attack method: Attackers use social engineering to lure developers into cloning malicious repositories. Observed indicators of compromise include post-checkout hook scripts named hooks/vm.tf and hooks/mongodb.hook.js, suggesting infrastructure-themed and database-themed lure repositories targeting developers working with Terraform or MongoDB. The first-stage payload is Python-based, delivered via hook execution, and includes anti-forensic techniques (TAR archive extraction to /tmp followed by archive deletion).

PoC availability: Multiple public proof-of-concept exploits appeared on GitHub within hours of the July 8 disclosure, dramatically lowering the barrier to exploitation. Independent validation by security researchers confirmed working exploitation against unpatched systems.

Primary targets: Developer workstations running macOS or Linux, and CI/CD pipeline agents — systems where git clone operations against external repositories are routine. GitHub Desktop is specifically exposed because it enables recursive cloning by default.

No specific named threat actor or APT group had been publicly attributed as of the available reporting.

Remediation

1. Upgrade Git to a patched version for your active branch (see Affected Versions table above). Run git --version to check your current version. On macOS, upgrade via your package manager or by updating Xcode Command Line Tools: xcode-select --install. On Linux, use your distribution's package manager.
2. Avoid --recursive or --recurse-submodules on repositories from untrusted or unknown sources until patched. Instead, clone without the flag, manually inspect .gitmodules for unusual path values (control characters, unexpected symlinks), and then run git submodule update --init only after inspection.
3. Audit CI/CD pipeline runners — any agent that clones external repositories with recursive submodule initialization is exposed. Verify the Git version on all pipeline agents and update before re-enabling recursive clones.
4. Review GitHub Desktop and other GUI clients — these may clone recursively by default. Check for updates from the respective vendors.
5. Monitor for hook file creation in .git/hooks/ directories on developer workstations, particularly unexpected script files appearing after a clone operation.