CVE-2025-48384

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-48384
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48384.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-48384
Aliases
Downstream
Related
Published
2025-07-08T18:23:48.710Z
Modified
2026-02-03T07:40:02.985594Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Git allows arbitrary code execution through broken config quoting
Details

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-436",
        "CWE-59"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48384.json"
}
References

Affected packages

Git / github.com/git-for-windows/git

Affected ranges

Type
GIT
Repo
https://github.com/git-for-windows/git
Events
Fixed
4d32d83913170b86f9753fca10e75cdb2223d1cc
Introduced
cca1f38702730b35f52c29efd62864b85e85ddcc
Fixed
6cba5081d357807b9d132c68423ad561b7f153e2
Fixed
9022eb323edaad8654d79b9d325d9429a53763d9

Affected versions

v2.*
v2.49.0.windows.1
v2.50.0-rc0.windows.1
v2.50.0-rc1.windows.1
v2.50.0-rc2.windows.1
v2.50.0.windows.1
v2.50.0.windows.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48384.json"

Git / github.com/git/git

Affected ranges

Type
GIT
Repo
https://github.com/git/git
Events
Introduced
3c2a3fdc388747b9eaf4a4a4f2035c1c9ddb26d0
Fixed
080b728d4b2bbdd2c0b9eb9ed6a41195f8303088
Introduced
39bf06adf96da25b87c9aa7d35a32ef3683eb4a4
Fixed
47d3b506d48b7971080f09770f5b06b42569c967
Fixed
7a1903ad46b5cc7524c0734a5034dccaec07209b
Introduced
777489f9e09c8d0dd6b12f9d90de6376330577a2
Fixed
a52a24e03c8c711f1d5e252fba78f9276908129b
Introduced
683c54c999c301c2cd6f715c411407c413b1d84e
Fixed
aadf8ae518afd80b73d49eff8aff475161aa5157
Introduced
16bd9f20a403117f2e0d9bcda6c6e621d3763e77
Fixed
d82adb61ba2fd11d8f2587fca1b6bd7925ce4044
Introduced
786a3e4b8d754d2b14b1208b98eeb0a554ef19a8
Fixed
f94b90ad6e49cc7f15c4171c5a434aa459e82d2d
Introduced
fbe8d3079d4a96aeb4e4529cc93cc0043b759a05
Fixed
fbae1f06cbb04a6592c32f465e9bc28149039358

Affected versions

v2.*
v2.39.4
v2.39.5
v2.40.2
v2.40.3
v2.40.4
v2.41.1
v2.41.2
v2.41.3
v2.42.2
v2.42.3
v2.42.4
v2.43.4
v2.43.5
v2.43.6
v2.43.7
v2.44.0
v2.44.1
v2.44.2
v2.44.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48384.json"