- CISA adds CVE-2025-48384 to its known utilized vulnerability catalog
- Git patched it in July 2025, but there are also mackets and solutions
- Users must patch up instantly or face a possible attack
The US Cyber Security and Infrastructure Security Agency (CISA) has added a serious git vulnerability to its known utilized vulnerabilities (KEV) catalog, warning of abuse of wild and giving federal civilian civilian executive branch (FCCEB) agencies three weeks to patch up.
The Git Distributed Version Control system is a software development tool that helps users keep track of code changes so they can share it with others and collaborate on various projects.
It was recently discovered that it had a mistake where it handles special “carriage returns” people inconsistently -so when it configures sub -modules, this can fool to set up a depot in the wrong place and then run hidden, attackers -delivered code.
Avoid recursive submodule -clones
The error is traced as CVE-2025-48384 and has a severity of 8.0/10 (high). It was discovered in early July 2025 and fixed with a patch. Here is a list of patched up git distributed version control system: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1 and 2.50.1.
Git is extremely popular. It is the standard version control system used by developers around the world, and platforms such as GitHub, Gitlab and BitBucket are all running on git. In addition, almost any larger software project, including Linux, Android, Chrome and VS Code, use it to control code.
When CISA adds a mistake to KEV, it usually means it has observed that it is used in attacks in real life. This error was added on July 25, 2025, which means that FCEB agents have until September 15 to patch it up or stop using git completely. Usually, other state agencies as well as companies in the private sector keep track of KEV and also use the updates at the same time.
Those who are unable to patch can insert a mitigation in the form of avoiding recursive submodule clones from non -conquered sources. Furthermore, users must disable git hooks globally via core.hookspath and enforce only revised sub -modules.
Via Bleeping computer
