CVE-2025-48384: 
vulnerability analysis and mitigation

Git version control system has been found to contain a vulnerability (CVE-2025-48384) related to improper handling of carriage returns in config values and submodule paths. The vulnerability affects Git versions older than v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1, and was discovered by David Leadbeater (OSS Security).

When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 HIGH with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD).

If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This could potentially lead to arbitrary code execution (OSS Security).

The vulnerability has been fixed in Git versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. Users are recommended to upgrade to these patched versions to protect against this vulnerability (OSS Security).