DEBIAN-CVE-2025-48384

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-48384
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-48384.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-48384
Upstream
Downstream
Published
2025-07-08T19:15:42Z
Modified
2025-10-10T19:31:14.973218Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

References

Affected packages

Debian:11 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.30.2-1+deb11u5

Affected versions

1:2.*

1:2.30.2-1
1:2.30.2-1+deb11u1
1:2.30.2-1+deb11u2
1:2.30.2-1+deb11u3
1:2.30.2-1+deb11u4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.39.2-1.1
1:2.39.2+next.20230215-1
1:2.39.5-0+deb12u1
1:2.39.5-0+deb12u2
1:2.40.0-1
1:2.40.0-1+alpha.1
1:2.40.0+next.20230313-1
1:2.40.0+next.20230319-1
1:2.40.1-1
1:2.40.1-1+alpha.1
1:2.40.1+next.20230424-1
1:2.40.1+next.20230427-1
1:2.42.0-1
1:2.43.0-1
1:2.43.0-1+alpha.2
1:2.43.0+next.20231120-1
1:2.43.0+next.20240104-1
1:2.45.1-1
1:2.45.1+next.20240516-1
1:2.45.2-1
1:2.45.2-1+alpha.1
1:2.45.2-1.1
1:2.45.2-1.1+alpha.1
1:2.45.2-1.2
1:2.45.2-1.3
1:2.45.2+next.20240614-1
1:2.47.1-1
1:2.47.2-0.1
1:2.47.2-0.2
1:2.48.0~rc1+next.20250101-1
1:2.49.0-1
1:2.49.0-2
1:2.49.0-3
1:2.49.0+next.20250314-1
1:2.50.0~rc0+next.20250528-1
1:2.50.0-1
1:2.50.0+next.20250615-1
1:2.50.1-0.1
1:2.51.0-1
1:2.51.0+next.20250825-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.47.3-0+deb13u1

Affected versions

1:2.*

1:2.47.2-0.2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.50.1-0.1

Affected versions

1:2.*

1:2.47.2-0.2
1:2.48.0~rc1+next.20250101-1
1:2.49.0-1
1:2.49.0-2
1:2.49.0-3
1:2.49.0+next.20250314-1
1:2.50.0~rc0+next.20250528-1
1:2.50.0-1
1:2.50.0+next.20250615-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}