CVE-2025-48385: 
vulnerability analysis and mitigation

CVE-2025-48385 is a vulnerability discovered in Git that affects the client's handling of advertised bundles during repository cloning. The vulnerability was disclosed on July 8, 2025, and affects multiple versions of Git prior to v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. The issue stems from insufficient validation of advertised bundles by the Git client when fetching from a remote server (GitHub Advisory).

The vulnerability occurs when the Git client fetches a bundle advertised by the remote server during repository cloning. Due to insufficient validation of the advertised bundles, an attacker can perform protocol injection. The CVSS v4.0 base score is 8.6 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating network attack vector, low attack complexity, and high impacts on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability can lead to arbitrary file writes on the client system, as the protocol injection allows the attacker to control where the fetched bundle is written. The fetched content is fully controlled by the server, which in the worst case can lead to arbitrary code execution. The impact is particularly severe as it affects the fundamental clone operation in Git (GitHub Advisory).

Several mitigation options are available: 1) Upgrade to the patched versions (v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1), 2) Disable the bundle.heuristic configuration option, 3) Disable recursive clones to prevent exploitation through submodules. The vulnerability can be avoided as the bundle URI feature is not enabled by default (GitHub Advisory).