Subj : CISA is warning of a worrying Git security flaw, so stay alert
To   : All
From : TechnologyDaily
Date : Wed Aug 27 2025 15:00:10

CISA is warning of a worrying Git security flaw, so stay alert

Date:
Wed, 27 Aug 2025 13:53:00 +0000

Description:
A high-severity Git bug has been spotted and flagged, with government 
agencies given weeks to patch.

FULL STORY
======================================================================CISA 
adds CVE-2025-48384 to its Known Exploited Vulnerabilities catalog Git 
patched it in July 2025, but there are also mitigations and workarounds Users 
should patch immediately, or face possible attack 

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a 
serious Git vulnerability to its Known Exploited Vulnerabilities (KEV) 
catalog, warning of in-the-wild abuse and giving Federal Civilian Executive 
Branch (FCEB) agencies three weeks to patch up. 

The Git distributed version control system is a software development tool 
helping users keep track of code changes, allowing them to share it with 
others, and cooperate on different projects. 

It was recently discovered that it had a bug where it handles special 
carriage return characters inconsistently - so when configuring submodules, 
this can trick Git into setting up a repository in the wrong place and then 
running hidden, attacker-supplied code. Avoiding recursive submodule clones 

The bug is tracked as CVE-2025-48384, and has a severity score of 8.0/10 
(high). It was discovered in early July 2025, and fixed with a patch. Here is 
a list of patched up Git distributed version control system: 2.43.7, 2.44.4, 
2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. 

Git is extremely popular. It is the standard version control system used by 
developers worldwide, and platforms like GitHub, GitLab, and Bitbucket all 
run on Git. Furthermore, almost every major software project, including 
Linux, Android, Chrome, and VS Code, uses it to manage code. 

When CISA adds a bug to KEV, it usually means it has observed it being used 
in real-life attacks. This flaw was added on July 25, 2025, meaning FCEB 
agencies have until September 15 to patch it up or stop using Git altogether. 
Usually, other government agencies, as well as companies in the private 
sector, keep track of KEV and apply the updates at the same time, as well. 

Those that are unable to patch can deploy a mitigation in the form of 
avoiding recursive submodule clones from untrusted sources. Furthermore, 
users should disable Git hooks globally via core.hooksPath, and enforce only 
audited submodules. 

 Via BleepingComputer You might also like A cracked malicious version of a Go 
package lay undetected online for years Take a look at our guide to the best 
authenticator app We've rounded up the best password managers



======================================================================
Link to news story:
https://www.techradar.com/pro/security/cisa-is-warning-of-a-worrying-git-secur
ity-flaw-so-stay-alert


--- Mystic BBS v1.12 A49 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.