Git Project Patches 3 Flaws: RCE, Arbitrary File Writes & Buffer Overflow

The Git Project has released updates addressing three significant vulnerabilities impacting Git versions up to v2.50.0, including one that could allow remote code execution during repository cloning, another enabling arbitrary file writes, and a third involving a buffer overflow in Windows credential handling.

These vulnerabilities — tracked as CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386 — have been patched in multiple branches, including v2.50.1 and earlier long-term support releases such as v2.43.7 through v2.49.1.

CVE-2025-48384 — Arbitrary Code Execution via Broken Config Quoting (CVSS 8.1)

This vulnerability stems from Git’s improper handling of carriage return characters when writing configuration values. If a malicious actor crafts a submodule path with a trailing CR (carriage return), Git may interpret the altered path incorrectly and execute malicious hooks post-checkout.

“If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout,” the advisory warns.

This issue could be leveraged during recursive submodule cloning from untrusted repositories, making it a high-severity concern for developers using open-source projects with nested dependencies.

Mitigation: Upgrade to a patched Git version or avoid recursive submodule cloning from unknown sources.

CVE-2025-48385 — Arbitrary File Writes via Bundle-URI Parameter Injection (CVSS 8.6)

The second vulnerability targets Git’s support for bundle URIs, a feature introduced to speed up cloning via pre-packaged bundles hosted on CDNs. However, the Git client performs insufficient validation of these URIs, allowing a remote server to inject malicious protocol commands and write files outside of the intended directory.

“This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary… which can in the worst case lead to arbitrary code execution,” according to the Git advisory.

Although bundle URIs are not enabled by default, the vulnerability could be exploited if the user or a project explicitly enables them, or through recursive clone operations involving submodules controlled by the attacker.

Mitigation: Disable the bundle.heuristic configuration and avoid recursive cloning of untrusted repositories.

CVE-2025-48386 — Buffer Overflow in wincred Credential Helper (CVSS 6.3)

The third vulnerability is a classic buffer overflow affecting the wincred helper on Windows platforms. Due to a lack of bounds-checking in the wcsncat() function, an attacker could trigger memory corruption by overflowing a static buffer used for credential comparison and storage.

“This credential helper does not properly bounds check the available space remaining in the buffer before appending to it… leading to potential buffer overflows,” the advisory notes.

While the attack complexity is higher, this issue still poses a risk on Windows systems where wincred is enabled by default.

Mitigation: Upgrade Git or disable the wincred helper if an immediate patch is not possible.

Affected and Patched Versions

All Git versions up to v2.50.0 are affected. The following branches include the necessary fixes:

• v2.50.1
• v2.49.1
• v2.48.2
• v2.47.3
• v2.46.4
• v2.45.4
• v2.44.4
• v2.43.7

Developers and DevOps teams are strongly encouraged to update immediately, especially those using Git in automated CI/CD pipelines or in environments where external repositories are routinely cloned.

Related Posts:

• Git Users Beware of Arbitrary Configuration Injection Vulnerability
• Google Announces Git protocol version 2, Bringing Significant Performance Improvements
• Mozilla is testing DNS over HTTPs in Firefox (DoH)