CISA urges federal agencies to immediately patch an exploited arbitrary file write vulnerability in Git that leads to remote code execution.
The US cybersecurity agency CISA on Monday warned that a recent vulnerability in Git has been exploited in attacks, urging its immediate patching.
The flaw, tracked as CVE-2025-48384 (CVSS score of 8.1), is described as an arbitrary file write during the cloning of repositories with submodules that use a ‘recursive’ flag.
The issue exists because, when reading configuration values, Git strips trailing carriage return (CR) characters and does not quote them when writing.
Thus, the initialization of submodules with a path containing a trailing CR results in altered paths and in the submodule being checked out to an incorrect location.
“If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout,” Git’s advisory reads.
This allows attackers to manipulate internal submodule paths, which results in Git writing files to unexpected locations and initializing the submodules in these locations.
Shortly after the Git project released patches for CVE-2025-48384 on July 8, Datadog warned that proof-of-concept (PoC) code targeting the bug had been released.
Source: https://www.securityweek.com/organizations-warned-of-exploited-git-vulnerability/