Git vulnerability leading to RCE is being exploited by attackers (CVE-2025-48384)
CVE-2025-48384, a recently patched vulnerability in the popular distributed revision control system Git, is being exploited by attackers.
Details about the attacks are not public, but the confirmation of exploitation comes from the US Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw to its Known Exploited Vulnerabilities catalog on Monday.
About CVE-2025-48384
“[CVE-2025-48384] stems from a mismatch in how Git reads versus writes configuration values containing control characters,” DataDog researchers explained.
“The vulnerability can be exploited to write a malicious Git Hook script, resulting in remote code execution (RCE) whenever subcommands like git commit and git merge are run. An attacker can craft a malicious .gitmodules file with submodule paths ending in a carriage return. Due to Git’s config parser behavior, this character may be stripped on read but preserved on write, allowing malicious redirection of submodule contents. When combined with symlinks or certain repository layouts, this can lead to arbitrary writes across the filesystem.”
CVE-2025-48384 was publicly disclosed on July 8, 2025, when fixed versions of Git – v2.50.1, v2.49.1, v2.48.2, v2.47.3, v2.46.4, v2.45.4, v2.44.4, and v2.43.7 – were released.
A couple of days later, Datadog researchers found and validated working proof-of-concept (PoC) exploits that had already started showing up.
Trivial exploitation
The vulnerability can be easily exploited by creating malicious git repositories that will execute code when they are cloned.
It could also be abused to overwrite the victim’s Git configuration file, Datadog researchers noted, and attackers could use this approach to exfiltrate the targets’ intellectual property (e.g., proprietary source code) to their server. “Such Git activities would be transparent to the victim, allowing stealthy persistence for the attacker,” they added.
With in-the-wild attacks having been spotted, it’s imperative for developers working on macOS and Linux systes to check whether their Git version is up-to-date and, if it’s not, to update it to a version with the fix. (Mac users should make sure to update the Git version pre-installed with with macOS Command Line Tools, as well.)
Some customer CI/CD build systems may also still use vulnerable Git versions.
Users have also been advised to avoid recursively cloning submodules in untrusted repositories.
By adding CVE-2025-48384 to its KEV catalog, CISA has ordered US federal civilian agencies to mitigate the vulnerability on their systems by September 15, 2025.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!