PoC Exploit Released for High-Severity Git CLI Arbitrary File Write Vulnerability
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical vulnerability in Git CLI enables arbitrary file writes on Linux and macOS systems, with working proof-of-concept exploits now publicly available.
CVE-2025-48384, assigned a CVSS severity score of 8.1/10, allows attackers to achieve remote code execution through maliciously crafted repositories when users execute git clone –recursive commands.
Key Takeaways
1. CVE-2025-48384 (CVSS 8.1/10) enables arbitrary file writes on Linux/macOS when using git clone --recursive on malicious repositories.
2. Attackers can inject malicious Git Hook scripts that auto-execute during git commit and git merge operations.
3. Update to patched Git versions (v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, v2.50.1) or use Git CLI instead of GitHub Desktop on macOS.
4. Public proof-of-concept exploits are available, requiring urgent remediation across development environments.
Git CLI Arbitrary File Write Vulnerability
According to Security Researcher Matt Muir, Linux Malware, CVE-2025-48384 exploits a fundamental flaw in Git’s handling of configuration values and carriage return (\r) characters when parsing .gitmodules files on UNIX-like systems.
The vulnerability stems from a critical mismatch between how Git reads versus writes configuration values containing control characters.
When an attacker crafts a malicious .gitmodules file with submodule paths ending in carriage return characters, Git’s config parser behavior creates a dangerous discrepancy where the character may be stripped during read operations but preserved during write operations.
This parsing inconsistency allows malicious redirection of submodule contents to arbitrary filesystem locations.
The vulnerability specifically affects Git CLI installations prior to patched versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1 on macOS and Linux platforms.
Notably, Windows systems remain unaffected due to fundamental differences in control character handling in non-UNIX-derived systems.
The GitHub Desktop client for macOS is particularly vulnerable because it executes git clone –recursive operations by default under the hood.
DataDog researchers have identified multiple exploitation pathways that leverage the arbitrary file write primitive to achieve persistent remote code execution.
The most common attack scenario involves weaponized repositories published with README instructions encouraging users to run git clone –recursive, a practice frequently recommended in open-source projects.
Once the malicious repository is cloned, attackers can write Git Hook scripts contained within the repository’s submodules directly to the victim’s .git subdirectory.
These malicious payloads execute automatically during routine Git operations such as git commit and git merge commands, providing transparent persistence mechanisms.
Alternative exploitation techniques include overwriting the victim’s Git configuration file to modify the [remote “origin”] section, enabling stealthy exfiltration of intellectual property and proprietary source code to attacker-controlled servers.
Working proof-of-concept exploits demonstrating arbitrary writes to /tmp directories have been validated by security researchers and are publicly accessible.
Risk Factors Details Affected ProductsGit CLI on Linux and macOS prior to versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, v2.50.1 GitHub Desktop client for macOS (pre-patch)ImpactArbitrary file writesExploit PrerequisitesRepository accessible via public hosting platforms or social engineeringCVSS 3.1 Score8.1 (High)
Remediation
Organizations must immediately upgrade affected Git CLI installations to patched versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1 using their respective package managers.
Users can verify their current Git version by executing git –version and comparing against the vulnerable version ranges including v2.50.0, v2.49.0, v2.48.0-v2.48.1, v2.47.0–v2.47.2, v2.46.0–v2.46.3, v2.45.0-v2.45.3, v2.44.0–v2.44.3, and v2.43.6 and prior.
GitHub Desktop users on macOS should temporarily avoid the client for Git operations until an official patch becomes available, instead utilizing the patched Git CLI for repository management.
Security teams can implement detection mechanisms using custom Agent rules to monitor for suspicious git clone –recursive executions targeting external repositories, while auditing .gitmodules file contents before cloning untrusted repositories.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
PoC Exploit Released for High-Severity Git CLI Arbitrary File Write Vulnerability
Author: KaaviyaA critical vulnerability in Git CLI enables arbitrary file writes on Linux and macOS systems, with working proof-of-concept exploits now publicly available.
CVE-2025-48384, assigned a CVSS severity score of 8.1/10, allows attackers to achieve remote code execution through maliciously crafted repositories when users execute git clone –recursive commands.
Key Takeaways
1. CVE-2025-48384 (CVSS 8.1/10) enables arbitrary file writes on Linux/macOS when using git clone --recursive on malicious repositories.
2. Attackers can inject malicious Git Hook scripts that auto-execute during git commit and git merge operations.
3. Update to patched Git versions (v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, v2.50.1) or use Git CLI instead of GitHub Desktop on macOS.
4. Public proof-of-concept exploits are available, requiring urgent remediation across development environments.
Git CLI Arbitrary File Write Vulnerability
According to Security Researcher Matt Muir, Linux Malware, CVE-2025-48384 exploits a fundamental flaw in Git’s handling of configuration values and carriage return (\r) characters when parsing .gitmodules files on UNIX-like systems.
The vulnerability stems from a critical mismatch between how Git reads versus writes configuration values containing control characters.
When an attacker crafts a malicious .gitmodules file with submodule paths ending in carriage return characters, Git’s config parser behavior creates a dangerous discrepancy where the character may be stripped during read operations but preserved during write operations.
This parsing inconsistency allows malicious redirection of submodule contents to arbitrary filesystem locations.
The vulnerability specifically affects Git CLI installations prior to patched versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1 on macOS and Linux platforms.
Notably, Windows systems remain unaffected due to fundamental differences in control character handling in non-UNIX-derived systems.
The GitHub Desktop client for macOS is particularly vulnerable because it executes git clone –recursive operations by default under the hood.
DataDog researchers have identified multiple exploitation pathways that leverage the arbitrary file write primitive to achieve persistent remote code execution.
The most common attack scenario involves weaponized repositories published with README instructions encouraging users to run git clone –recursive, a practice frequently recommended in open-source projects.
Once the malicious repository is cloned, attackers can write Git Hook scripts contained within the repository’s submodules directly to the victim’s .git subdirectory.
These malicious payloads execute automatically during routine Git operations such as git commit and git merge commands, providing transparent persistence mechanisms.
Alternative exploitation techniques include overwriting the victim’s Git configuration file to modify the [remote “origin”] section, enabling stealthy exfiltration of intellectual property and proprietary source code to attacker-controlled servers.
Working proof-of-concept exploits demonstrating arbitrary writes to /tmp directories have been validated by security researchers and are publicly accessible.
Risk Factors Details Affected ProductsGit CLI on Linux and macOS prior to versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, v2.50.1 GitHub Desktop client for macOS (pre-patch)ImpactArbitrary file writesExploit PrerequisitesRepository accessible via public hosting platforms or social engineeringCVSS 3.1 Score8.1 (High)
Remediation
Organizations must immediately upgrade affected Git CLI installations to patched versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1 using their respective package managers.
Users can verify their current Git version by executing git –version and comparing against the vulnerable version ranges including v2.50.0, v2.49.0, v2.48.0-v2.48.1, v2.47.0–v2.47.2, v2.46.0–v2.46.3, v2.45.0-v2.45.3, v2.44.0–v2.44.3, and v2.43.6 and prior.
GitHub Desktop users on macOS should temporarily avoid the client for Git operations until an official patch becomes available, instead utilizing the patched Git CLI for repository management.
Security teams can implement detection mechanisms using custom Agent rules to monitor for suspicious git clone –recursive executions targeting external repositories, while auditing .gitmodules file contents before cloning untrusted repositories.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
