CVE-2025-48384: 
vulnerability analysis and mitigation

CVE-2025-48384 is a high-severity vulnerability in Git discovered and disclosed on July 8, 2025. The vulnerability affects Git versions prior to v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. This security issue affects macOS and Linux installations of Git, while Windows installations are not vulnerable (Arctic Wolf).

The vulnerability stems from Git's handling of trailing carriage return (CR) characters in config values. When reading a config value, Git strips trailing carriage return and line feed (CRLF) characters, but when writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. This behavior becomes particularly dangerous when initializing submodules - if a submodule path contains a trailing CR, the altered path can cause Git to initialize the submodule in an unintended location. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 HIGH with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

If exploited, the vulnerability can lead to arbitrary code execution. When combined with a symlink pointing to the submodule hooks directory and an executable post-checkout hook, cloning a repository can result in unintended code execution. The vulnerability poses a notable supply chain risk, particularly for developers who regularly work with third-party code (Arctic Wolf).

Users are strongly advised to upgrade to the latest fixed versions: v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1. For macOS users, it's important to note that upgrading Git via package managers like Homebrew does not replace the system version at /usr/bin/git - it installs alongside it and requires updating PATH to use the new version. As an additional security measure, users should avoid cloning untrusted repositories in sensitive environments and avoid using the --recursive switch in the clone command where possible (Arctic Wolf).