The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the Git distributed version control system to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild1. Tracked as CVE-2025-48384, this arbitrary file write flaw carries a CVSS score of 8.1 and affects Git versions 2.50.0 and earlier2. The addition mandates Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by September 15, 2025, under Binding Operational Directive (BOD) 22-011. This development is particularly significant given Git’s ubiquitous role in software development and CI/CD pipelines, making it a high-value target for supply chain attacks.
Understanding the Git Vulnerability (CVE-2025-48384)
The flaw, classified as a Link Following vulnerability (CWE-59) with an Interpretation Conflict (CWE-436), stems from Git’s inconsistent handling of carriage return (CR) characters in configuration files2. When Git reads a configuration value from a file such as `.git/config`, it strips trailing CRLF line endings. However, when writing these values back, it fails to properly quote values that end with a carriage return character. This inconsistency causes the CR character to be lost upon re-reading the configuration, creating a parsing discrepancy that attackers can weaponize. The technical mechanism involves a malicious repository where a submodule path ends with a trailing CR character, which alters the path interpretation during initialization.
Exploitation Mechanism and Proof of Concept
Technical analyses from Datadog and Arctic Wolf detail the exploitation chain3, 4. An attacker crafts a repository where a submodule path is set to a value ending with a trailing CR, such as `payload\r`. If a symbolic link named `payload` exists and points to `.git/hooks`, Git’s misparsing during submodule initialization will place the submodule’s contents into the hooks directory. This can include a malicious `post-checkout` hook script. When a user or automated system clones this malicious repository and performs a checkout operation, the malicious hook executes, leading to arbitrary code execution in the context of the user running Git. This attack vector is particularly effective against automated CI/CD systems that frequently clone and checkout untrusted repositories.
Broader Context of CISA’s KEV Catalog
CISA’s KEV catalog serves as the authoritative source for vulnerabilities with confirmed active exploitation and is a foundational element of modern vulnerability management5. A vulnerability is added only when it meets three specific criteria: it must have a CVE ID, there must be reliable evidence of active exploitation “in the wild,” and there must be a clear remediation action available5. While BOD 22-01 legally binds FCEB agencies to remediate these vulnerabilities, CISA strongly urges all organizations to prioritize KEV-listed flaws to build collective resilience across the cybersecurity community. The catalog is designed to help organizations keep pace with threat activity by filtering the vast number of CVEs down to those causing immediate harm.
Remediation and Mitigation Strategies
The primary mitigation is to update the Git command-line interface to version 2.50.1 or later2. The Git project has released a security advisory detailing the patch and providing updated versions6. In environments where immediate patching is impossible, organizations should consider disabling submodule initialization or removing the `.git/hooks/post-checkout` script from CI/CD runners and developer workstations. For Citrix Session Recording users affected by the simultaneously added CVEs, immediate upgrade to the patched versions released in November 2024 is required1. These mitigation steps should be integrated into a broader vulnerability management program that prioritizes KEV remediation.
Historical Precedent and Persistent Threats
This event occurs within a broader context of attackers rapidly weaponizing vulnerabilities, as detailed in a major joint cybersecurity advisory analyzing the top exploited vulnerabilities of 20237. The advisory revealed that malicious actors exploited more zero-day vulnerabilities in 2023 compared to 2022, with the majority of top exploited vulnerabilities initially used as zero-days. The persistence of threats like CVE-2021-44228 (Log4Shell) on exploitation lists years after patching underscores the critical importance of comprehensive asset management and timely patch deployment. This pattern demonstrates that both newly disclosed and older vulnerabilities remain valuable to attackers.
Conclusion and Strategic Implications
The addition of CVE-2025-48384 to CISA’s KEV catalog highlights the ongoing targeting of foundational development tools and software supply chains. Organizations should treat the KEV catalog as a primary input for vulnerability management prioritization, integrating it with automated tools that can flag listed vulnerabilities. The confirmation of active exploitation means that any organization using unpatched Git versions in development or CI/CD environments faces immediate risk. While the specific threat actors exploiting this vulnerability remain unidentified, the potential impact ranges from initial access to full system compromise, particularly in automated environments where Git operations occur with elevated privileges.
