Skip to main content

Ubuntu CVE-2025-48385

| EUVDEUVD-2025-20678 HIGH
External Control of File Name or Path (CWE-73)
2025-07-08 security-advisories@github.com
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Ubuntu
MEDIUM
qualitative
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.3 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 04:21 euvd
EUVD-2025-20678
Analysis Generated
Mar 16, 2026 - 04:21 vuln.today
CVE Published
Jul 08, 2025 - 19:15 nvd
HIGH 8.6

DescriptionGitHub Advisory

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Analysis

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Technical ContextAI

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication.

RemediationAI

Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

Vendor StatusVendor

Ubuntu

Priority: Medium
git
Release Status Version
xenial not-affected code not present
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble released 1:2.43.0-1ubuntu7.3
oracular released 1:2.45.2-1ubuntu1.2
plucky released 1:2.48.1-0ubuntu1.1
upstream released 2.43.7

Debian

Bug #1108983
git
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 1:2.30.2-1+deb11u5 -
bookworm vulnerable 1:2.39.5-0+deb12u3 -
bookworm (security) vulnerable 1:2.39.5-0+deb12u2 -
trixie fixed 1:2.47.3-0+deb13u1 -
forky fixed 1:2.51.0-1 -
sid fixed 1:2.53.0-1 -
(unstable) fixed 1:2.50.1-0.1 -

SUSE

Severity: High
Product Status
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2025-48385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy