CISA has issued a high-severity warning for CVE-2025-48384, a link-following vulnerability in Git that enables arbitrary file writes via misconfigured carriage return handling in configuration files.
This flaw has already seen active exploitation, underscoring the critical need for immediate mitigation.
Key Takeaways
1. CVE-2025-48384 lets attackers abuse CR handling in Git configs to write arbitrary files.
2. It endangers CI/CD and build systems.
3. Upgrade and apply BOD 22-01 controls.
Git Arbitrary File Write Vulnerability
CVE-2025-48384 arises from Git’s inconsistent handling of trailing carriage return (CR) characters in .git/config and other configuration entries. When Git reads a config value, it strips any trailing CR and line feed (LF) characters.
However, when writing a config entry that ends with a CR, Git does not quote the value, causing the CR to be lost after re-read. This behavior can be abused during submodule initialization:
In this case, Git strips r on read, altering the intended path (e.g., payload instead of payloadr). If a symlink named payload points to .git/hooks, a cloned repository can place an attacker-controlled post-checkout hook into the hooks directory.
Upon checkout, this hook executes arbitrary code with the user’s privileges, allowing arbitrary file writes anywhere on the filesystem.
This flaw is cataloged under CWE-59 (Link Following) and CWE-436 (Interpretation of Trusted Input).
Although no direct link to ransomware campaigns has been confirmed, the potential for chain-loading malicious hooks makes this vulnerability exceptionally dangerous in automated build and CI/CD pipelines.
| Risk Factors | Details |
| Affected Products | Git versions ≤ 2.50.0 (including maintenance tracks 2.43.7–2.49.1) E |
| Impact | Arbitrary file writes or code execution |
| Exploit Prerequisites | Clone an untrusted repository containing a submodule whose path ends with r |
| CVSS 3.1 Score | 8.0 (High) |
Mitigations
CISA advises organizations to apply fixes as detailed by Git maintainers and vendors without delay.
Update Git to version 2.50.1 (and subsequent patches on older maintenance tracks 2.43.7 through 2.49.1) available at the official kernel.org repositories.
For cloud-based development environments, implement Binding Operational Directive (BOD) 22-01 controls to enforce patching or disable vulnerable Git installations centrally.
If immediate patching is not feasible, disable Git submodule initialization or remove the .git/hooks/post-checkout script from CI/CD runners and developer workstations.
All organizations are urged to treat this vulnerability with urgent priority, ensuring patches are deployed by September 15, 2025, the official due date for remediation.
Failure to address CVE-2025-48384 could result in unauthorized code execution, data tampering, or supply-chain compromise within critical software development lifecycles.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
