GIT Flaws Enable Code Execution on External Repos

Corrected releases of the distributed system of the source texts Git 2.43.7, 2.4.4.4.4, 2.46.4, 2.47.3, 2.47.3, 2.47.3, 2 2.48.2, 2.49.1 and 2.50.1 have been published, addressing a vulnerability that allowed for the execution of code on the user’s system when cloning a repository controlled by an attacker.

  • CVE-2025-48384 – This vulnerability is caused by a flaw in Git’s handling of carriage return symbols. An attacker can exploit this to execute code by initializing a submodule with a path containing a symbolic link to a malicious processor.
  • CVE-2025-48385 – Inadequate checking of Bundle files during repository cloning can allow an attacker to inject malicious code into the system.
  • CVE-2025-48386 – A vulnerability specific to Windows platforms due to a buffer overflow in the Wincred processor.

Furthermore, four vulnerabilities were identified in the graphic interfaces gitk and git gui written in TCL/tk:

  • CVE-2025-27613 – Opening a specially crafted repository in GITK can lead to the rewriting of arbitrary files in the file system.
  • CVE-2025-27614 – Performing certain actions in GITK over a specially designed repository can trigger the execution of malicious scripts.
  • CVE-2025-46334 – In Git GUI on Windows, an attacker can execute code when performing specific actions within the interface on a repository containing malicious executable files.
  • CVE-2025-46335 – Allows an attacker to create or modify a file in the file system when editing a file in GIT GUI extracted from a repository they control.
/Reports, release notes, official announcements.