Imagine a hacker lurking in the shadows, ready to exploit a weakness in a tool you use every day. That’s precisely the unsettling reality for millions of developers now facing the threat of CVE-2025-48384, a recently patched vulnerability in the widely-used Git version control system.

This flaw was confirmed to be under attack by the US Cybersecurity and Infrastructure Security Agency (CISA), which added it to its Known Exploited Vulnerabilities catalog just days ago. But what does this mean for you?

Understanding CVE-2025-48384

At its core, CVE-2025-48384 arises from a mismatch in Git's handling of configuration values that include control characters. According to researchers from DataDog, the vulnerability allows malicious actors to write a harmful Git Hook script. This could lead to remote code execution (RCE) whenever common commands like git commit and git merge are executed.

But how does this happen? An attacker can craft a deceptive .gitmodules file that includes submodule paths that erroneously end with a carriage return. When Git reads these paths, it may strip away the problematic character but keeps it when writing, causing potential misdirection of submodule contents. This dodgy behavior can enable arbitrary writes across a victim's filesystem, especially when combined with symbolic links or specific repository setups.

The Timeline and Immediate Threats

Public awareness of CVE-2025-48384 began on July 8, 2025, when Git versions v2.50.1, v2.49.1, v2.48.2, and several others were released to patch this vulnerability. However, just a couple of days later, DataDog researchers discovered proof-of-concept exploits already circulating, indicating that the vulnerability was being actively abused.

What’s particularly alarming is how easy this vulnerability is to exploit. Malicious Git repositories can be created that will execute harmful code as soon as they are cloned. Attackers can also overwrite a victim’s Git configuration file, potentially exfiltrating sensitive intellectual property, such as proprietary source code, all while flying under the radar. These types of Git activities can be completely transparent to the unsuspecting user, allowing attackers to maintain their foothold without detection.

What You Need to Do

With confirmed attacks occurring in the wild, developers on macOS and Linux are urged to verify if their Git versions are updated. If they aren’t, it’s time to patch that vulnerability! Mac users should pay special attention to the Git version bundled with the macOS Command Line Tools, ensuring they are running a version that includes the fix.

It’s also worth noting that some customer Continuous Integration/Continuous Deployment (CI/CD) build systems may still use vulnerable versions of Git, adding another layer of risk. Furthermore, users are advised against recursively cloning submodules from untrusted repositories.

By including CVE-2025-48384 in its KEV catalog, CISA has mandated that US federal civilian agencies mitigate this vulnerability by September 15, 2025. Will you take the necessary steps to protect your projects?