A high-severity vulnerability in Git, tracked as CVE-2025-48384, is actively being exploited in the wild, prompting urgent calls for patching. This flaw, which carries a CVSS score of 8, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on August 25, 2025, underscoring its critical nature. The vulnerability, which affects Git's configuration handling, allows attackers to execute remote code by exploiting improper handling of carriage return and line feed (CRLF) characters when reading and writing configuration entries.
The vulnerability was publicly disclosed on July 8, 2025, and has since been exploited within 47 days, highlighting the rapid pace at which attackers have moved to leverage this flaw. The exploitation of CVE-2025-48384 is facilitated by the availability of at least 42 proof-of-concept (PoC) exploits, which have been circulating among threat actors.
The vulnerability stems from Git's handling of configuration values, where trailing CRLF characters are stripped when reading a config value, but not properly managed when writing a config entry. This discrepancy can be manipulated by attackers to execute arbitrary code on systems running vulnerable versions of Git, potentially leading to unauthorized access and control over affected systems.
Security experts recommend immediate patching of Git installations to mitigate the risk posed by this vulnerability. Organizations using Git should prioritize updating to the latest version to protect against potential exploitation. The Software Security Vulnerability Classification (SSVC) has marked this vulnerability as "attend," indicating that it requires immediate attention due to its exploitation in the wild.
Given the high severity and active exploitation of CVE-2025-48384, defenders are urged to review their Git configurations and ensure that all systems are updated promptly. The vulnerability's presence in the KEV catalog further emphasizes the need for swift action to prevent potential breaches and data compromises.
CSURFACE