CVE-2025-48385External Control of File Name or Path in GIT

CWE-73External Control of File Name or PathCWE-88Argument Injection12 documents7 sources
Severity
8.6HIGHNVD
OSV3.6
EPSS
0.1%
top 82.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GIT
Timeline
PublishedJul 8
Latest updateJul 10

Description

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection c

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5git/git< 2.43.7+7
Debiangit/git< 1:2.39.5-0+deb12u3+2
Ubuntugit/git< 1:2.34.1-1ubuntu1.14+12

🔴Vulnerability Details

5
OSV
git regression2025-07-10
OSV
git regression2025-07-09
CVEList
Git alllows arbitrary file writes via bundle-uri parameter injection2025-07-08
OSV
git vulnerabilities2025-07-08
OSV
CVE-2025-48385: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full acce2025-07-08

📋Vendor Advisories

6
Ubuntu
Git regression2025-07-10
Ubuntu
Git regression2025-07-09
Ubuntu
Git vulnerabilities2025-07-08
Red Hat
git: Git arbitrary file writes2025-07-08
Microsoft
GitHub: CVE-2025-48385 Git Protocol Injection Vulnerability2025-07-08