PoC Released for High-Severity Git CLI Vulnerability Allowing Arbitrary File Writes
A critical vulnerability in Git’s command-line interface has been disclosed with public proof-of-concept exploits available, allowing arbitrary file writes and remote code execution on Linux and macOS systems.
CVE-2025-48384 affects Git installations using git clone –recursive on weaponized repositories, exploiting improper handling of carriage return characters in .gitmodules files to bypass security controls.
| Field | Details |
| CVE ID | CVE-2025-48384 |
| CVSS Score | 8.1/10 (High) |
| Vulnerability Type | Arbitrary File Write, Remote Code Execution |
| CWE Classification | Path Traversal, Configuration Parsing |
| Affected Platforms | Linux, macOS (Windows unaffected) |
Technical Analysis and Exploitation
According to the DataDog report, the vulnerability stems from a mismatch in Git’s configuration parser behavior when processing control characters.
Specifically, carriage return (r) characters may be stripped during read operations but preserved during write operations, creating a read-write mismatch.
Attackers can craft malicious .gitmodules files with submodule paths ending in carriage returns, such as hooksr../../../.git/hooks/malicious.sh.
When Git processes these paths, the config parser reads the path as hooks but writes to the full path including the carriage return, enabling directory traversal outside the intended submodule location.
This primitive allows attackers to write malicious Git Hook scripts to the victim’s .git/hooks directory, achieving remote code execution when common Git operations like git commit and git merge are performed.
The GitHub Desktop client for macOS is also vulnerable due to its default use of git clone –recursive. Windows installations remain unaffected due to differences in control character handling on UNIX-derived systems.
Affected Versions and Patches
Git coordinated a security release on July 8, 2025, addressing the vulnerability across multiple versions:
| Git Version Range | Status | Platforms Affected |
| 2.43.6 and prior | Vulnerable | Linux, macOS |
| 2.43.7 | Patched | Linux, macOS |
| 2.44.0–2.44.3 | Vulnerable | Linux, macOS |
| 2.44.4 | Patched | Linux, macOS |
| 2.45.0–2.45.3 | Vulnerable | Linux, macOS |
| 2.45.4 | Patched | Linux, macOS |
| 2.46.0–2.46.3 | Vulnerable | Linux, macOS |
| 2.46.4 | Patched | Linux, macOS |
| 2.47.0–2.47.2 | Vulnerable | Linux, macOS |
| 2.47.3 | Patched | Linux, macOS |
| 2.48.0–2.48.1 | Vulnerable | Linux, macOS |
| 2.48.2 | Patched | Linux, macOS |
| 2.49.0 | Vulnerable | Linux, macOS |
| 2.49.1 | Patched | Linux, macOS |
| 2.50.0 | Vulnerable | Linux, macOS |
| 2.50.1 | Patched | Linux, macOS |
The vulnerability carries a CVSS score of 8.1 (High) and poses significant risks to software developers and CI/CD systems.
Exploitation scenarios include writing malicious hooks for persistence, overwriting Git configuration files to exfiltrate intellectual property, and compromising automated build pipelines.
Organizations should immediately upgrade to patched versions using their package managers. GitHub Desktop users on macOS should temporarily use the Git CLI until a patch is released.
Security teams should audit .gitmodules files for suspicious carriage return characters and implement detection rules for git clone –recursive operations against untrusted repositories.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
Source link
