EUVD-2025-20677CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
AnalysisAI
Git contains a CRLF injection vulnerability (CVE-2025-48384, CVSS 8.0) in its config handling that allows attackers to escape header lines and modify config values. KEV-listed, this vulnerability in the world's most widely used version control system enables config injection attacks that could lead to arbitrary code execution through Git hooks, credential theft, or repository manipulation.
Technical ContextAI
When Git writes a config entry, it strips trailing CRLF from values but does not quote values containing only a trailing CR. This allows an attacker who can influence config values to inject additional lines into the git config file. Injected config entries could: set malicious hooks (core.hooksPath), modify credential helpers (credential.helper), change remote URLs, or alter other security-sensitive settings. Git config is implicitly trusted by Git operations.
RemediationAI
Update Git immediately. Review .gitconfig and repository configs for suspicious entries. Audit core.hooksPath and credential.helper settings. Enterprise: deploy Git updates through software management.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH
pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently str
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removin
Vendor StatusVendor
Ubuntu
Priority: High| Release | Status | Version |
|---|---|---|
| bionic | released | 1:2.17.1-1ubuntu0.18+esm2 |
| focal | released | 1:2.25.1-1ubuntu3.14+esm1 |
| jammy | released | 1:2.34.1-1ubuntu1.13 |
| noble | released | 1:2.43.0-1ubuntu7.3 |
| oracular | released | 1:2.45.2-1ubuntu1.2 |
| plucky | released | 1:2.48.1-0ubuntu1.1 |
| upstream | released | 2.43.7 |
| xenial | released | 1:2.7.4-0ubuntu1.10+esm9 |
Debian
Bug #1108983| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 1:2.30.2-1+deb11u5 | - |
| bullseye (security) | fixed | 1:2.30.2-1+deb11u5 | - |
| bookworm | vulnerable | 1:2.39.5-0+deb12u3 | - |
| bookworm (security) | vulnerable | 1:2.39.5-0+deb12u2 | - |
| trixie | fixed | 1:2.47.3-0+deb13u1 | - |
| forky | fixed | 1:2.51.0-1 | - |
| sid | fixed | 1:2.53.0-1 | - |
| (unstable) | fixed | 1:2.50.1-0.1 | - |
Share
External POC / Exploit Code
Leaving vuln.today