Git Carriage Return Flaw Enables Code Execution During Submodule Initialization
A high-severity vulnerability tracked as CVE-2025-48384 affects Git’s handling of configuration values containing trailing carriage returns, creating a path for unintended script execution during submodule initialization. According to Armis, the flaw can be abused when an attacker can influence the relevant configuration context, potentially turning routine clone or submodule operations into code execution. Microsoft’s Security Update Guide also lists the issue, identifying it as a Git/GitHub vulnerability.
Public exploit activity quickly followed disclosure, with multiple GitHub repositories publishing proof-of-concept material for CVE-2025-48384, including variants described as working over HTTPS and others explicitly labeling the issue as carriage-return-driven remote code execution on cloning. The appearance of several PoC repositories indicates that exploit details are broadly accessible, increasing the likelihood of weaponization against developers and build environments that process untrusted repositories or submodules.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public proof-of-concept exploit for CVE-2025-48384 appears on GitHub
A GitHub repository publishing a proof-of-concept for CVE-2025-48384 was made public. The PoC indicated that exploit details had become publicly available shortly after disclosure.
CVE-2025-48384 disclosed as a Git carriage-return handling flaw
A vulnerability identified as CVE-2025-48384 was disclosed in Git. The flaw involves improper handling of trailing carriage returns in configuration values, which can trigger unintended script execution during submodule initialization if an attacker can influence the configuration context.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
GitHub - vignesh21-git/CVE-2025-48384: GIT vulnerability | Carriage Return and RCE on cloning · GitHub
github.com
Open sourceGitHub - s41r4j/CVE-2025-48384: GIT vulnerability | Carriage Return and RCE on cloning · GitHub
github.com
Open sourceGitHub - jacobholtz/CVE-2025-48384-poc: PoC for CVE-2025-48384 · GitHub
github.com
Open sourceGitHub - arun1033/CVE-2025-48384 · GitHub
github.com
Open sourceGitHub - IK-20211125/CVE-2025-48384: CVE-2025-48384 PoC · GitHub
github.com
Open sourceGitHub - vinieger/CVE-2025-48384: PoC for CVE-2025-48384 - but with HTTPS instead · GitHub
github.com
Open sourceCVE-2025-48384 | High Severity | Armis
cve.armis.com
Open sourceCVE-2025-48384 - Security Update Guide - Microsoft - GitHub: CVE-2025-48384 Git Symlink Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitHub `Kernel#send()` Flaw Exposed Secrets and Enabled GHES RCE Path
A vulnerability tracked as **`CVE-2024-0200`** allowed attackers with organization owner privileges to abuse an unsafe Ruby `Kernel#send()` call in GitHub’s organization repository settings flow and invoke unintended zero-argument methods on `Repository` objects. Researchers showed the bug could be used to trigger `Repository::GitDependency#nw_fsck()` and leak roughly **2 MB of environment variables** from a production GitHub.com container, exposing access keys, secrets, and internal configuration because spawned git processes inherited the parent environment. The issue affected **GitHub.com** and **GitHub Enterprise Server (GHES)** instances with GitHub Actions enabled, but the impact was more severe on GHES. STAR Labs reported that leaked variables on GHES could include `ENTERPRISE_SESSION_SECRET` and other Marshal-related secrets, which could be chained with forged Rails session cookies and an unsafe `Marshal.load` path to achieve **remote code execution**. GitHub hotfixed GitHub.com on December 26, 2023, and later released a patch and advisory, while recommended mitigations included allowlisting the `rid_key` parameter, reducing environment variables passed to git processes, rotating exposed secrets, and monitoring `repository_items` requests for abnormal `rid_key` values.
Apr 19, 2026
GitHub Copilot for JetBrains Remote Code Execution Vulnerability
A critical vulnerability, tracked as CVE-2025-64671, was identified in GitHub Copilot for JetBrains, allowing improper neutralization of special elements used in a command, leading to potential command injection and local code execution. The flaw enables an unauthorized attacker to execute arbitrary code on the affected system, with a CVSS 3.1 base score of 8.4, indicating high severity. The vulnerability is not remotely exploitable but can be triggered locally, either through direct access or by tricking a user into executing malicious commands. Security advisories from both cvefeed.io and Microsoft confirm the technical details, highlighting that the vulnerability stems from improper handling of command input within the Copilot integration for JetBrains IDEs. No specific affected product versions have been listed yet, but the issue is confirmed and assigned by Microsoft. Organizations using GitHub Copilot for JetBrains are advised to monitor for updates and apply patches as soon as they become available to mitigate the risk of local code execution attacks.
Mar 21, 2026
GitLab patches CSRF and XSS flaws enabling token theft and browser-side code execution
GitLab disclosed and remediated three high-severity vulnerabilities in GitLab CE/EE that could be exploited by unauthenticated attackers under certain conditions. **CVE-2026-4922** is a cross-site request forgery flaw (`CWE-352`) that could let an attacker trigger GraphQL mutations as an authenticated user, while **CVE-2026-5262** is a cross-site scripting issue (`CWE-79`) that could expose tokens in the Storybook development environment. GitLab also fixed **CVE-2026-5816**, an improper path validation flaw (`CWE-41`) that could allow arbitrary JavaScript execution in a victim’s browser session. The issues affect multiple GitLab CE/EE release lines, with patched versions identified as **18.9.6**, **18.10.4**, and **18.11.1** depending on the flaw. CVE-2026-4922 affects versions from `17.0` before `18.9.6`, `18.10` before `18.10.4`, and `18.11` before `18.11.1`; CVE-2026-5262 affects versions from `16.1.0` before `18.9.6`, `18.10` before `18.10.4`, and `18.11` before `18.11.1`; and CVE-2026-5816 affects `18.10` before `18.10.4` and `18.11` before `18.11.1`. The vulnerabilities carry CVSS v3.1 ratings reflecting high confidentiality and integrity impact, and GitLab linked the disclosures to its patch release notice, internal work items, and HackerOne reports.
May 24, 2026