Skip to main content

Ubuntu EUVDEUVD-2025-20677

| CVE-2025-48384 HIGH
Improper Link Resolution Before File Access (CWE-59)
2025-07-08 security-advisories@github.com
8.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Ubuntu
HIGH
qualitative
SUSE
7.8 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Red Hat
8.0 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 04:21 euvd
EUVD-2025-20677
Analysis Generated
Mar 16, 2026 - 04:21 vuln.today
Added to CISA KEV
Nov 06, 2025 - 14:52 cisa
CISA KEV
CVE Published
Jul 08, 2025 - 19:15 nvd
HIGH 8.0

DescriptionGitHub Advisory

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

AnalysisAI

Git contains a CRLF injection vulnerability (CVE-2025-48384, CVSS 8.0) in its config handling that allows attackers to escape header lines and modify config values. KEV-listed, this vulnerability in the world's most widely used version control system enables config injection attacks that could lead to arbitrary code execution through Git hooks, credential theft, or repository manipulation.

Technical ContextAI

When Git writes a config entry, it strips trailing CRLF from values but does not quote values containing only a trailing CR. This allows an attacker who can influence config values to inject additional lines into the git config file. Injected config entries could: set malicious hooks (core.hooksPath), modify credential helpers (credential.helper), change remote URLs, or alter other security-sensitive settings. Git config is implicitly trusted by Git operations.

RemediationAI

Update Git immediately. Review .gitconfig and repository configs for suspicious entries. Audit core.hooksPath and credential.helper settings. Enterprise: deploy Git updates through software management.

More in Git

View all
CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2018-17456 CRITICAL POC
9.8 Oct 06

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x be

CVE-2015-7545 CRITICAL
9.8 Apr 13

The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x

CVE-2021-21300 HIGH POC
7.5 Mar 09

Git is an open-source distributed revision control system. Rated high severity (CVSS 7.5), this vulnerability is remotel

CVE-2016-2324 CRITICAL
9.8 Apr 08

Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) ma

CVE-2022-25648 CRITICAL POC
9.8 Apr 19

The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. Rated critical severity (C

CVE-2016-2315 CRITICAL
9.8 Apr 08

revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary c

CVE-2014-9938 HIGH POC
8.8 Mar 20

contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a mali

CVE-2019-19604 HIGH POC
7.8 Dec 11

Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before

CVE-2018-11235 HIGH POC
7.8 May 30

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote

CVE-2022-36883 HIGH POC
7.5 Jul 27

A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds o

CVE-2021-40330 HIGH POC
7.5 Aug 31

git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may res

Vendor StatusVendor

Ubuntu

Priority: High
git
Release Status Version
bionic released 1:2.17.1-1ubuntu0.18+esm2
focal released 1:2.25.1-1ubuntu3.14+esm1
jammy released 1:2.34.1-1ubuntu1.13
noble released 1:2.43.0-1ubuntu7.3
oracular released 1:2.45.2-1ubuntu1.2
plucky released 1:2.48.1-0ubuntu1.1
upstream released 2.43.7
xenial released 1:2.7.4-0ubuntu1.10+esm9

Debian

Bug #1108983
git
Release Status Fixed Version Urgency
bullseye fixed 1:2.30.2-1+deb11u5 -
bullseye (security) fixed 1:2.30.2-1+deb11u5 -
bookworm vulnerable 1:2.39.5-0+deb12u3 -
bookworm (security) vulnerable 1:2.39.5-0+deb12u2 -
trixie fixed 1:2.47.3-0+deb13u1 -
forky fixed 1:2.51.0-1 -
sid fixed 1:2.53.0-1 -
(unstable) fixed 1:2.50.1-0.1 -

SUSE

Severity: High
Product Status
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 7 LTSS Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed

Share

EUVD-2025-20677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy