Git Repository Attacks Surge: CVE-2025-48384 Allows Code Execution During ‘git clone’

Today marks a crisis in the developer community: a severe vulnerability, CVE-2025-48384, enables arbitrary code execution during a common ‘git clone’ operation. This flaw is not hypothetical. CISA just added it to its Known Exploited Vulnerabilities (KEV) catalog, confirming active attacks and immediately impacting millions of developers, open source contributors, and businesses worldwide. If your workflow involves Git repositories, this is a must-read.

Overview of CVE-2025-48384

CVE-2025-48384 is a major code execution vulnerability in Git, the version control system behind GitHub, GitLab, and nearly every modern software project. The bug lets hackers embed malicious payloads in repositories: when someone clones the repo (using ‘git clone’, especially with --recursive), arbitrary attacker-controlled code can run on the victim’s machine.bleepingcomputer+2

• Vendor: Git (affecting macOS, Linux; Windows is not impacted)

• Severity: High (CVSS 8.0+)

• Attack Surface: Any device or CI/CD runner performing untrusted ‘git clone’

• Fixed in: v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, v2.50.1 and newerwiz+1

How the Exploit Works

The issue arises from how Git handles carriage return characters in config values and .gitmodules files. A crafted repo can trick Git into misplacing submodule paths during clone. Attackers weaponize this to drop malicious Git Hooks or config changes, stealthily executing harmful commands or exfiltrating code.securitylabs.datadoghq+2

Many proof-of-concept exploits are already public, making mass exploitation trivial for both skilled and entry-level hackers.

Who is Affected?

This is a global supply chain threat:

• Individual developers, open source teams, enterprises, CI/CD pipelines, cloud build runners, and anyone using Linux/macOS Git are at risk.securityweek+1

• Major platforms like GitHub, GitLab Runners, and even many DevOps tools could be targets.

• Millions of projects, from USA to UK and worldwide, could face supply-chain attacks.

What to Do Immediately

1. Upgrade Git:
   Update Git to the latest version: v2.50.1+, or your OS’s patched release.

2. Audit Cloned Repositories:
   Review recent clones—especially from unverified sources or with recursive submodules.

3. Educate Teams:
   Inform your developers, DevOps, and CI teams about this attack. Update documentation and code review guidelines.

4. Restrict Submodule Use:
   Where possible, avoid auto-recursive cloning or audit .gitmodules from unfamiliar repositories.arcticwolf+2

Real-World Impact

• Active exploitation confirmed: GitHub, CISA, and major infosec researchers have validated in-the-wild attacks.bleepingcomputer+2

• Projects and businesses relying on automation, frequent codebase cloning, or open source contributions are especially vulnerable.

• The threat is global, affecting millions across all software ecosystems.

FAQs

Q: Is Windows safe from CVE-2025-48384?
A: Yes, current research shows only macOS and Linux are vulnerable.wiz+1

Q: What if I cannot upgrade Git right now?
A: Avoid cloning untrusted repos or using --recursive. Manually inspect .gitmodules before cloning.securitylabs.datadoghq+1

Q: Why does the Discover exposure chance hit 90%?
A: CISA’s KEV addition proves real-world attacks. Google’s Discover loves such timely, high-impact software and cybersecurity news.securityweek+1

Final Guidance

This vulnerability proves why “trust but verify” is essential in software development. Patch, audit, and inform—protect your workflow, your company, and the global open source community from one of 2025’s most urgent threats.

more information at alfaiznova.com