An attacker can exploit this vulnerability by crafting a Git repository including a malicious .gitmodules file that contains a submodule path with a trailing carriage return. When the repository is recursively cloned (via the command git clone –recursive), the path parsing inconsistency allows the threat actor to achieve an arbitrary file write to an attacker-specified path. By strategically placing symlinks and leveraging the carriage return confusion, attackers can write malicious content directly to the Git submodule’s hooks directory. Git then automatically executes this malicious hook script as part of the normal submodule checkout process, resulting in arbitrary code execution on the victim’s system.
A proof of concept was published soon after exploitation, highlighting the ease of exploiting this vulnerability to achieve any range of objectives on the victim’s machine.
Vulnerability Details
CrowdStrike has identified active exploitation of Git vulnerability CVE-2025-48384. In the observed activity, threat actors combined sophisticated social engineering tactics with malicious Git repository cloning operations. This targeted attack chain poses a substantial risk to organizations running unpatched Git installations.
CVE-2025-48384 is a configuration file parsing vulnerability in Git that affects macOS and Linux operating systems. The vulnerability stems from Git’s inconsistent handling of carriage return characters when parsing configuration files and submodule paths.
Figure 1 shows the executed post-checkout hook script’s content, which uses Python to execute the first-stage malware script hooks/vm.tf, extracts a TAR file to /tmp, and then deletes the submodule’s files.
Exploitation in the Wild
During analysis of the social engineering activity and in-the-wild exploitation, CrowdStrike identified the following indicators associated with CVE-2025-48384:
This campaign emphasizes two critical security imperatives: timely software patching and implementing a comprehensive security strategy that encompasses detection, observation, and rapid incident response capabilities.
