Arctic Wolf Customer,
Proof-of-concept exploit code is now available for a high-severity arbitrary file write vulnerability in Git, which poses a risk to developers who regularly work with third-party code. If Git is used in your environment, we recommend reviewing this security bulletin and taking immediate steps to mitigate the risk.
Summary
On 8 July, 2025, the Git project released new versions of Git to address CVE-2025-48384, a high-severity vulnerability allowing threat actors to create malicious git repositories that unexpectedly run code when being cloned. The vulnerability poses a notable supply chain risk, particularly for developers who regularly work with third-party code. As validated in research by Datadog, proof-of-concept exploit code is also now publicly available, further lowering the barrier for exploitation.
Due to differences in how control characters are handled on non-Unix systems, Windows installations of Git are not affected, while macOS and Linux are vulnerable.
Although the CVSS rating classifies the attack complexity of this vulnerability as high, in practice it is trivially exploitable: threat actors can easily create malicious git repositories that execute code unexpectedly upon being cloned. Given widespread use of the git clone –recursive —a pattern that appears extensively in public GitHub repositories—there exists a credible and realistic pretext for exploitation.
Technical Details
This vulnerability stems from Git stripping trailing carriage return (CR) characters when reading config values and failing to quote them when writing. If a submodule path contains a trailing CR, the altered path can cause Git to initialise the submodule in an unintended location. When this is combined with a symlink pointing to the submodule hooks directory and an executable post-checkout hook, cloning a repository can result in unintended code execution.
Arctic Wolf will follow its standard internal processes to assess the impact of this newly reported vulnerability within its own environment and, if impacted, will address it within the established remediation timelines in our Security Patching Policy.
Recommendations
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Git CLI (macOS and Linux) |
|
|
Note: Upgrading Git on a Mac by installing a newer version (such as via Homebrew) does not replace the system version at /usr/bin/git — it installs alongside it and requires updating your PATH to use the new one. The system Git can only be upgraded through macOS updates, which may roll out more slowly.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Avoid Cloning Untrusted Repositories in Sensitive Environments
As a security best practice, avoid cloning untrusted repositories in sensitive environments, as vulnerabilities such as this one may lead to unexpected supply chain risk.
Avoid using the –recursive switch in the clone command where possible to prevent this vulnerability from being exploited.
References
-
Security Advisory: https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
-
GitHub Announcement: https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/
-
Technical Details: https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384
-
Datadog Confirms PoC Available: https://securitylabs.datadoghq.com/articles/git-arbitrary-file-write/
Resources
Understand the threat landscape, and how to better defend your organisation, with the 2025 Arctic Wolf Threat Report.
See how Arctic Wolf utilises threat intelligence to harden your attack surface and stop threats earlier and faster.
