A serious security flaw has been reported in Git CLI, the most widely used source code management tool in the developer community. The vulnerability, which carries the identifier CVE – 2025-48384, was rated with a CVSS score of 8.1, allowing attackers to write arbitrary files and even remotely execute code (RCE) on Linux and macOS systems. The concern is that the exploit requires only the user to perform the familiar operation: clone a specially designed Git repository.
The cause of the CVE-2025-48384 vulnerability stems from Git’s inconsistent handling of the carriage return (r) character in the.gitmodules configuration file. Specifically, when Git reads data from this file, the r characters may be omitted or cleaned up. However, when Git records information into a.git/config file in a local environment, these characters are left unchanged. This difference in processing creates a dangerous scenario, allowing the attacker to insert r characters at the end of the submodule path. During execution of the Git clone – recursive command, Git will inadvertently write the configuration containing the control characters to the system without generating warnings or errors, thus paving the way for insertion or overwrite of malicious configuration.
Security researchers point out that this technique can be abused to manipulate sensitive configuration fields in Git. A good example is overriding the [remote “origin”] entry, thereby redirecting the entire source code load stream to the attacker – controlled server. In more dangerous scenarios, the attacker may write files directly to the.git/hooks/directory. This is the Git area that allows scripts to be executed automatically whenever users perform operations such as git commit, git merge or git checkout. By installing malicious code as a hook, the attacker can maintain long-term control and execute the code silently, which is difficult to detect immediately.
The risk of this vulnerability is increased by the common usage habits of the software development community. The Git clone – recursive command frequently appears in README or the documentation of open source projects, especially those that use submodules. Users, especially novice programmers or those who are less vigilant, can easily copy and run the command without carefully checking the repository contents. On macOS, the risk is even greater when the default GitHub Desktop uses recursive clone mode, making mining possible without the user having to manually operate the command line. In contrast, Windows systems were not affected by this vulnerability due to differences in control character processing between the Windows environment and Unix-based operating systems.
According to Git project information, all versions from v2.43.6 and earlier up to v250.0 are affected. In order to fully fix the bug, patches were released during the July 8, 2025 update, including versions: v2.43.7, v2.44.4, v 2.45.4, v2..46.4.v2.3.v1.48.2.v3.49.1.and v1.50.1 […]. Users are recommended to upgrade to these versions as soon as possible.
To minimize risks arising from CVE-2025-48384, both individuals and organizations should proactively adopt preventive measures. Primarily, the use of the git clone – recursive command should be restricted to unarchived repositories, especially without checking the.gitmodules file contents. For users of GitHub Desktop on macOS, the interim solution is to switch to using the patched Git CLI or wait for an official update from the app. In an enterprise environment, implementing custom monitoring rules on an intrusion detection system (IDS) is necessary, while prioritizing tracking of Git-derived shell processes, especially when involved in recursive clone operations.
The CVE-2025-48384 breach is a clear demonstration that serious threats do not necessarily stem from sophisticated attack techniques, but sometimes from familiar daily maneuvers themselves. Amid increasing software supply chain attacks, tool updating, caution in using external repositories, and monitoring of unusual behavior have become essential requirements for every developer and organization.
