CVE-2025-48385

Name of the Vulnerable Software and Affected Versions: Git versions prior to 2.43.7 Git versions prior to 2.44.4 Git versions prior to 2.45.4 Git versions prior to 2.46.4 Git versions prior to 2.47.3 Git versions prior to 2.48.2 Git versions prior to 2.49.1 Git versions prior to 2.50.1

Description: The issue arises from the Git client's insufficient validation of advertised bundles when cloning a repository, allowing the remote server to perform protocol injection. This can cause the client to write fetched content to a location controlled by the adversary, potentially leading to arbitrary code execution. The vulnerability can be exploited when the bundle.heuristic config option is enabled, and in some cases, it requires the adversary to control where a repository will be cloned to, which can be achieved through social engineering or recursive clones with submodules.

Recommendations: For Git versions prior to 2.43.7, update to version 2.43.7 or later. For Git versions prior to 2.44.4, update to version 2.44.4 or later. For Git versions prior to 2.45.4, update to version 2.45.4 or later. For Git versions prior to 2.46.4, update to version 2.46.4 or later. For Git versions prior to 2.47.3, update to version 2.47.3 or later. For Git versions prior to 2.48.2, update to version 2.48.2 or later. For Git versions prior to 2.49.1, update to version 2.49.1 or later. For Git versions prior to 2.50.1, update to version 2.50.1 or later. As a temporary workaround, consider disabling the bundle.heuristic config option to prevent the use of bundle URIs. Restrict access to recursive clones to minimize the risk of exploitation.