Git, the widely-used version control system, has been found vulnerable to two high-severity security flaws that could allow attackers to achieve arbitrary file writes and potentially escalate to remote code execution (RCE). These flaws affect Git’s handling of submodules and bundle URIs and were responsibly disclosed in July 2025.
📌 CVE-2025-48384 – Arbitrary File Write via Malicious .gitmodules
🎯 Affected Platforms
- Git CLI on Linux/macOS
- GitHub Desktop on macOS (due to default
--recursivebehavior) - Windows Git is not affected
⚠️ Vulnerability Description
This vulnerability abuses how Git processes .gitmodules files during a recursive clone. When a Git repository with submodules is cloned using --recursive, Git reads paths from .gitmodules to initialize submodules.
The issue arises from Git’s inconsistent handling of carriage return (CR) characters:
- Git strips
\r(carriage return) characters when reading, but not when writing these paths. - An attacker can craft a
.gitmodulesfile containing a submodule path with a trailing\r, tricking Git into writing to unintended files.
By combining this behavior with a symbolic link (symlink) pointing to a Git hook (e.g., .git/hooks/post-checkout), an attacker can overwrite hook scripts, which are executed during Git operations. This leads to arbitrary code execution on the victim’s machine.
💥 Exploit Scenario
- Attacker creates a malicious Git repo with a submodule containing a crafted path.
- Victim runs:
git clone --recursive https://malicious-repo.git - Malicious
.gitmodulescauses Git to overwrite a hook script. - The hook gets executed, leading to remote code execution.
🛡️ Mitigations
- Upgrade Git to one of the patched versions.
- Avoid using
--recursiveingit clone. - Manually inspect
.gitmodulesbefore running submodule-related commands. - Disable submodules via Git configuration if not used:
git config --global submodule.recurse false
