The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity arbitrary code execution flaw in the Git distributed version control system to its Known Exploited Vulnerabilities (KEV) catalog and set a federal patch deadline of September 15. Tracked as CVE-2025-48384, the bug stems from how Git handles carriage return (\r) characters in configuration files and can be abused to execute code on user machines that clone a malicious repository.
Git underpins modern software collaboration and forms the basis of major hosting platforms such as GitHub, GitLab, and Bitbucket. Because developers routinely clone repositories and submodules from third parties, this vulnerability has a broad potential impact for enterprise development environments and continuous integration pipelines.
How the Git Vulnerability Works and Why it is Dangerous
CVE-2025-48384 arises from a mismatch in Git’s handling of carriage return characters when writing and reading configuration entries. The inconsistency can cause incorrect submodule path resolution. An attacker can weaponize this by publishing a repository whose submodule path ends with a carriage return and by supplying a crafted symlink and malicious hook setup.
When a target performs a recursive clone or fetch that processes the crafted submodule, the malformed path and symlink can cause Git to follow the attacker-controlled resource and trigger arbitrary code execution on the host.
The attack vector is practical: attackers publish repositories to public hosting, and victims who clone them—especially with --recurse-submodules enabled—may inadvertently cause the client to process the malicious entries. Because the exploit leverages normal Git behaviors (submodules, symlinks, and hooks), successful exploitation can lead to code execution without requiring elevated privileges inside the cloning environment.
Discovery, Fixes, and Vendor Guidance
Git maintainers discovered the issue on July 8, 2025, and issued patches in a sequence of point releases. The fixes are available in the following Git versions:
- 2.43.7
- 2.44.4
- 2.45.4
- 2.46.4
- 2.47.3
- 2.48.2
- 2.49.1
- 2.50.1
CISA added CVE-2025-48384 to its KEV catalog and instructed federal agencies to remediate or mitigate the vulnerability by September 15. Organizations outside the federal sphere should treat the update with similar urgency given Git’s wide use in development and deployment workflows.
Recommended Mitigations When Immediate Patching is Not Possible
If organizations cannot immediately upgrade to one of the patched Git releases, the guidance includes practical mitigations that reduce exposure:
- Avoid recursive submodule clones (
--recurse-submodules) from untrusted or unaudited sources. - Disable Git hooks globally by setting
core.hooksPathto a safe, empty directory, preventing automatic execution of repository-supplied hooks. - Enforce the use of audited submodules only, and validate submodule paths and symlinks before performing recursive operations.
- Treat any submodule paths ending with unusual whitespace or control characters (including
\r) as suspicious and inspect them manually. - Apply code repository scanning to detect committed symlinks, hooks, and configuration anomalies that could indicate an attempt to weaponize submodules.
- Where possible, restrict developer machines and CI runners from cloning arbitrary public repositories without review.
These mitigations lower the risk by blocking common exploitation paths and by ensuring that untrusted content cannot trigger client-side automation or hooks.
Detection and Hunting Guidance for Defenders
Enterprises should search logs and build outputs for signs of unexpected submodule processing, automatic hook execution, or the presence of unusual symlink targets. Detection priorities include:
- CI pipeline jobs that perform recursive clones or run repository hooks.
- Unexpected modifications to local
hooksdirectories or thecore.hooksPathsetting. - Clones that generate errors referencing submodule path resolution or symlink traversal.
- Anomalous network requests from developer workstations or CI runners immediately after a clone operation.
Correlating such events with recent repository sources and with users who performed recursive operations will help identify potential compromise.
CISA Adds Two Citrix Session Recording Flaws to KEV With Same Deadline
CISA concurrently added two Citrix Session Recording vulnerabilities to the KEV catalog and gave organizations the same remediation deadline of September 15 to apply vendor hotfixes or discontinue product use. The two issues, fixed by Citrix in November 2024, are CVE-2024-8068 and CVE-2024-8069; both received medium-severity scores.
- CVE-2024-8068 allows an authenticated user in the same Active Directory domain as a Session Recording server to escalate privileges to the NetworkService account.
- CVE-2024-8069 enables an authenticated intranet user to achieve limited remote code execution with NetworkService privileges via deserialization of untrusted data.
These flaws affect Citrix Session Recording versions prior to the vendor hotfixes for specific releases: 2407 hotfix 24.5.200.8 (CR), 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, and 2402 LTSR before CU1 hotfix 24.02.1200.16. CISA’s KEV listing requires organizations to patch, apply vendor guidance, or stop using affected builds by the September 15 deadline.
Why Enterprises Should Treat These Notifications Seriously
The Git arbitrary code execution vulnerability is particularly sensitive in enterprise contexts because development tools often run with access to build artifacts, secrets stored in developer workstations or CI environments, and automated deployment pipelines. A compromised developer machine or CI runner can provide an attacker with a high-value foothold into build systems, artifact repositories, and cloud environments.
Citrix Session Recording flaws present a different but serious risk profile: post-authentication privilege escalation and deserialization-based code execution can allow lateral movement inside corporate networks and compromise server-side processes running with elevated service accounts.
Because CISA has placed both the Git issue and the Citrix Session Recording flaws in the KEV catalog with an explicit remediation timeline, federal entities must prioritize updates. Private sector organizations should mirror that urgency to reduce the window of opportunity for attackers exploiting public proof-of-concepts or weaponized exploit code.
Practical Patch Rollout Checklist for IT and DevOps Teams
- Inventory all development hosts, CI runners, and build agents that use Git and identify versions.
- Prioritize upgrading to one of the patched Git releases listed above.
- Temporarily block recursive submodule operations from untrusted sources in CI and developer guidelines.
- Configure
core.hooksPathto a controlled location and disable automatic hook execution on machines that cannot be patched immediately. - Scan repositories and artifact repositories for suspicious submodule names, symlinks, or committed hook scripts.
- Review Citrix Session Recording installations and apply vendor hotfixes if running affected versions; if urgent patching is not feasible, isolate or stop impacted services.
- Monitor clone activity in logs and alert on recursive clones from external or unusual repositories.
- Communicate the change and the timeline to developer and security teams and enforce temporary safe-clone policies.
CVE-2025-48384 represents a practical and actively exploited vector that leverages Git submodule handling and carriage return mismatches to achieve arbitrary code execution. CISA’s addition of the flaw to the KEV catalog and the September 15 remediation deadline underscore the urgency for patching across federal and enterprise environments. Paired with CISA’s inclusion of two Citrix Session Recording vulnerabilities under the same timeline, organizations running affected software should prioritize upgrades, apply mitigations where immediate patching is not possible, and hunt for indicators of compromise in development and server logs.
