CVE-2025-48384
Git allows arbitrary code execution through broken config quoting
En resumen
Git no cita correctamente valores de configuración con retorno de carro al final, haciendo que submódulos se clonem en ubicaciones incorrectas. Si un enlace simbólico apunta al directorio de hooks de Git, un atacante puede engañar a Git para ejecutar scripts maliciosos durante la configuración del submódulo.
Detalle técnico
Al leer valores de configuración, Git elimina caracteres CRLF pero no cita valores con CR final al escribir, causando interpretación incorrecta de la ruta durante inicialización de submódulo. Un atacante puede preparar un repositorio con ruta de submódulo que contenga CR que, combinado con enlace simbólico apuntando al directorio hooks, dispara ejecución no intencional de scripts post-checkout. Requiere que el usuario clone repositorio malicioso o actualice submódulos (CWE-436: Conflicto de Interpretación, CWE-59: Resolución Inadecuada de Enlace).
Resumen generado y traducido por IA a partir de la descripción oficial.
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Productos afectados
git · gitPoCs públicas encontradas — 43
githubgithub.com/acheong08/CVE-2025-48384★ 52githubgithub.com/liamg/CVE-2025-48384★ 21githubgithub.com/zr0n/CVE-2025-48384-main★ 1githubgithub.com/zr0n/CVE-2025-48384-sub★ 1githubgithub.com/IK-20211125/CVE-2025-48384★ 1githubgithub.com/vinieger/vinieger-CVE-2025-48384-Dockerfile★ 1githubgithub.com/beishanxueyuan/CVE-2025-48384-test★ 1githubgithub.com/ppd520/CVE-2025-48384★ 0githubgithub.com/NigelX/CVE-2025-48384★ 0githubgithub.com/greatyy/CVE-2025-48384-p★ 0githubgithub.com/testdjshan/CVE-2025-48384★ 0githubgithub.com/altm4n/cve-2025-48384★ 0githubgithub.com/altm4n/cve-2025-48384-hub★ 0githubgithub.com/p1026/CVE-2025-48384★ 0githubgithub.com/simplyfurious/CVE-2025-48384-submodule_test★ 0githubgithub.com/Anezatraa/CVE-2025-48384-submodule★ 0githubgithub.com/elprogramadorgt/CVE-2025-48384★ 0githubgithub.com/f1shh/CVE-2025-48384★ 0githubgithub.com/fluoworite/CVE-2025-48384★ 0githubgithub.com/fluoworite/CVE-2025-48384-sub★ 0githubgithub.com/beishanxueyuan/CVE-2025-48384★ 0githubgithub.com/replicatorbot/CVE-2025-48384★ 0githubgithub.com/replicatorbot/CVE-2025-48384-POC★ 0githubgithub.com/eliox01/CVE-2025-48384★ 0githubgithub.com/jacobholtz/CVE-2025-48384-poc★ 0githubgithub.com/jacobholtz/CVE-2025-48384-submodule★ 0githubgithub.com/butyraldehyde/CVE-2025-48384-PoC-Part2★ 0githubgithub.com/butyraldehyde/CVE-2025-48384-PoC★ 0githubgithub.com/arun1033/CVE-2025-48384★ 0githubgithub.com/s41r4j/CVE-2025-48384★ 0githubgithub.com/s41r4j/CVE-2025-48384-submodule★ 0githubgithub.com/vignesh21-git/CVE-2025-48384★ 0githubgithub.com/vignesh21-git/CVE-2025-48384-submodule★ 0githubgithub.com/DayDayDayDreaming/backup-exec-cve-48384★ 0githubgithub.com/sathish46-lab/CVE-2025-48384-submodule★ 0githubgithub.com/ECHO6789/CVE-2025-48384-submodule★ 0githubgithub.com/Fomovet/cve-2025-48384★ 0githubgithub.com/nguyentranbaotran/cve-2025-48384-poc★ 0githubgithub.com/admin-ping/CVE-2025-48384-RCE★ 0githubgithub.com/fishyyh/CVE-2025-48384★ 0githubgithub.com/kallydev/cve-2025-48384-hook★ 0githubgithub.com/fishyyh/CVE-2025-48384-POC★ 0githubgithub.com/liamg/CVE-2025-48384-submodule★ 0⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
http://seclists.org/fulldisclosure/2025/Sep/60https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9https://lists.debian.org/debian-lts-announce/2025/10/msg00003.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384http://www.openwall.com/lists/oss-security/2025/07/08/4