DEBIAN-CVE-2025-48384

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-48384
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-48384.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-48384
Upstream
Downstream
Published
2025-07-08T19:15:42.800Z
Modified
2026-03-30T07:00:25.550528Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

References

Affected packages

Debian:11 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.30.2-1+deb11u5

Affected versions

1:2.*
1:2.30.2-1
1:2.30.2-1+deb11u1
1:2.30.2-1+deb11u2
1:2.30.2-1+deb11u3
1:2.30.2-1+deb11u4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-48384.json"

Debian:12 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.39.5-0+deb12u3

Affected versions

1:2.*
1:2.39.2-1.1
1:2.39.2+next.20230215-1
1:2.39.5-0+deb12u1
1:2.39.5-0+deb12u2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-48384.json"

Debian:13 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.47.3-0+deb13u1

Affected versions

1:2.*
1:2.47.2-0.2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-48384.json"

Debian:14 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.50.1-0.1

Affected versions

1:2.*
1:2.47.2-0.2
1:2.48.0~rc1+next.20250101-1
1:2.49.0-1
1:2.49.0-2
1:2.49.0-3
1:2.49.0+next.20250314-1
1:2.50.0~rc0+next.20250528-1
1:2.50.0-1
1:2.50.0+next.20250615-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-48384.json"