CISA Issues Warning About Git Arbitrary File Write Vulnerability Being Exploited in Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-severity warning regarding CVE-2025-48384, a link-following vulnerability in Git that allows for arbitrary file writes due to misconfigured carriage return handling in configuration files. This vulnerability has already been actively exploited, highlighting the urgent need for immediate mitigation. Key takeaways include that CVE-2025-48384 enables attackers to exploit CR handling in Git configurations to write arbitrary files, posing significant risks to Continuous Integration/Continuous Deployment (CI/CD) and build systems. Organisations are advised to upgrade their Git installations and apply Binding Operational Directive (BOD) 22-01 controls to mitigate this risk.

The Git Arbitrary File Write Vulnerability CVE-2025-48384 stems from Git’s inconsistent treatment of trailing carriage return (CR) characters in .git/config and other configuration entries. When Git reads a configuration value, it strips trailing CR and line feed (LF) characters. However, when writing a config entry that ends with a CR, Git fails to quote the value, resulting in the loss of the CR upon re-reading. This flaw can be exploited during submodule initialisation, allowing an attacker to place a malicious post-checkout hook in the hooks directory of a cloned repository. Upon checkout, this hook executes arbitrary code with the user’s privileges, enabling arbitrary file writes across the filesystem. CISA urges all organisations to prioritise the deployment of patches by September 15, 2025, to prevent potential data tampering, unauthorised code execution, or supply-chain compromises within critical software development lifecycles. 

Categories: Vulnerability Management, Software Security, CI/CD Risks 

Tags: CVE-2025-48384, Git, Vulnerability, Arbitrary File Write, Configuration Files, CI/CD, Mitigation, Exploitation, Patching, Security