A serious vulnerability has been discovered in Git CLI, the most popular tool in programming circles, with the identifier CVE-2025-48384. The vulnerability carries a CVSS score of 8.1, allowing the attacker to write arbitrary files and execute remote code (RCE) on Linux and macOS systems through a specially designed repository clone operation.

The CVE-2025-48384 vulnerability stems from Git’s inconsistent handling of the carriage return (r) character in the.gitmodules configuration file. When Git reads the configuration from this file, the r characters may be omitted or cleaned up, but when recorded to the.git/config file, they are retained. This creates a particularly dangerous situation when the attacker inserts the r character at the end of the submodule path. During the git clone – recursive process, Git writes the submodule configuration containing the control characters to the local configuration area, which in turn accidentally overrides or inserts the malicious configuration without generating errors.

Researchers found that this technique can be used to overwrite sensitive fields in a Git configuration, such as the [remote “origin”] entry, to redirect entire code streams to an attacker – controlled server. In other scripts, the attacker can write the file to the. git/hooks/directory, where Git supports automatic script execution when the user performs operations such as git commit, git merge. This way, malicious code can be installed and run in the background as a hook, paving the way for prolonged attacks without being detected immediately.

This is especially dangerous because the Git clone – recursive command often appears in README or the documentation of open source projects. Low – alert users can easily copy this command without knowing that they are launching a chain of malicious behavior in the first step. On macOS, the default GitHub Desktop also uses recursive clone mode, resulting in the ability to be exploited without manual command line. Meanwhile, Windows systems were unaffected by this vulnerability due to the different control character handling between the Unix and Windows ecosystem.

The affected versions cover the entire range from v2.50.0 and earlier to v2.43.6. The patches were released during the July 8, 2025 update, which are: v2.43.7, v2.44.4, v 2.45.4, v2,46.4.v2. 47.3, v3.48.2, v 2,49.1, and v2,50.1.

To minimize the risk arising from this vulnerability, both individual and institutional users should proactively take early precautions, especially in workflows that use Git and submodule mechanisms. Users should consider applying the following steps to effectively protect their work environment:

• Avoid using the git clone – recursive command with unarchived repositories, especially if you don’t double – check the.gitmodules file’s contents.
• For macOS users of GitHub Desktop:
  • Temporarily switch to patched Git CLI
  • Wait for official updates from the app to ensure safety when recursive cloning
• In the corporate environment:
  • Applying custom monitoring rules on an intrusion detection system (IDS)
  • Priority is given to Git – ancestral shell processes, especially when the command line contains clone and – recursive

The CVE-2025-48384 vulnerability again showed that the biggest risks did not necessarily come from complex code or high-tech techniques, but sometimes from seemingly harmless behaviors such as running a familiar clone of instructions. In the context of increasingly common and sophisticated software supply chain attacks, tool updates, thorough warehouse checks, and monitoring of unusual behavior become essential requirements, not only for large organizations but also for individual developers.