Git submodule path CR parsing vulnerability leading to hook execution

This repository demonstrates a proof-of-concept exploit for CVE-2025-48384 using a malicious git 'post-checkout' hook. The repository contains two files: a README.md describing the purpose, and a 'post-checkout' bash script. The script, when executed as a git hook, writes a flag ('CTF{you_triggered_cve_2025_48384}') to /tmp/flag.txt and prints a message to standard error indicating that RCE was triggered. The exploit is local in nature, requiring the victim to execute the malicious git hook, typically by performing a 'git checkout' in a repository containing this hook. No network endpoints are involved; the only fingerprintable endpoint is the file '/tmp/flag.txt'. The exploit serves as a demonstration of the vulnerability and does not include weaponized or remote payloads.

This repository is a proof-of-concept (PoC) for CVE-2025-48384, a vulnerability in Git related to handling of carriage return characters in submodule paths. The repository contains a Bash script (scripts/update-gitlink.sh) that programmatically creates or updates a submodule entry in the Git index with a path containing a carriage return character (sub^M). This is achieved by using Git's low-level update-index command with a specially crafted path. The script allows the user to specify the submodule URL and commit, defaulting to a placeholder GitHub repository. The README provides context and warnings, and the .gitmodules file references the submodule. The attack vector is local, requiring the user to run the script in a Git repository. The main fingerprintable endpoints are the submodule URL and the crafted submodule path. The repository is structured as a minimal PoC, with the main exploit logic in the Bash script.

This repository is a Proof-of-Concept (PoC) exploit for CVE-2025-48384, a vulnerability in Git related to submodules. The repository itself contains no executable code, but is structured to demonstrate the exploit: it includes a .gitmodules file referencing a malicious submodule, and a README.md with instructions to clone the repository with submodules enabled. The actual payload is hosted in a separate submodule repository and is executed via a Git hook (post-checkout) when the submodule is initialized. The exploit demonstrates how an attacker can achieve remote code execution on a victim's machine if they clone the repository with submodules. No direct code files are present in this repository; the exploit relies on Git's submodule and hook mechanisms. The main fingerprintable endpoints are the GitHub URLs for the main and submodule repositories, and the payload location.

This repository contains a single file named 'post-checkout', which is a short bash script. The script prints a message indicating infection and then executes a netcat (nc) command to open a reverse shell to 192.168.0.47 on port 4444, executing /bin/bash. The exploit is operational, providing remote shell access to the attacker if executed on a vulnerable system. The main attack vector is local execution, and the script targets generic Linux systems with netcat and bash available. The only endpoints referenced are the attacker's IP and port, and the local /bin/bash binary. The repository is minimal and focused solely on establishing a reverse shell.

This repository is a Capture The Flag (CTF) challenge and proof-of-concept (PoC) for CVE-2025-48384, a critical client-side remote code execution (RCE) vulnerability in Git. The exploit leverages improper handling of carriage return (CR) characters in submodule paths within the .gitmodules file. By crafting a submodule path with a trailing CR and creating a symlink from the sanitized path to the .git/hooks directory, the attacker ensures that when a vulnerable Git client clones the repository recursively, a malicious post-checkout hook from the submodule is executed, resulting in arbitrary code execution. The repository includes detailed documentation (CTF/Implementation.md, CTF/Malicious-Git-Repo.md) on how to set up the exploit for CTF purposes, a Dockerfile for building a vulnerable Git environment, and scripts (scripts/poc.sh, scripts/update-gitlink.sh) to automate the PoC and update the malicious submodule reference. The main exploit payload is a shell script (post-checkout hook) that writes a flag to /tmp/flag.txt, demonstrating successful exploitation. The .gitmodules file references a malicious submodule hosted at https://github.com/s41r4j/CVE-2025-48384-submodule.git, and the exploit relies on Unix-like symlink behavior. The repository is not part of a framework and is structured for educational and CTF demonstration purposes. It targets Git clients on Linux, macOS, and Windows (with caveats for symlink handling), and is relevant for developer environments, CI/CD pipelines, and any context where untrusted repositories may be cloned with submodules.

This repository contains a proof-of-concept exploit for CVE-2025-48384, implemented as a shell script ('post-checkout'). The script is designed to be executed as a git hook, likely as part of a malicious submodule or repository. Upon execution, it attempts to exfiltrate the contents of /etc/passwd to a remote server (https://cve48384.requestcatcher.com) using curl or wget. It also attempts to establish a reverse shell connection to a hardcoded IP address and port (10.11.0.7:4444), using several fallback methods (bash, nc, or sh with redirected sockets) for reliability. The script optionally copies a local flag file if present. The exploit demonstrates both data exfiltration and remote shell access capabilities, and is operational with hardcoded payloads. The main entry point is the 'post-checkout' shell script.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-48384, a vulnerability in Git (tested on version 2.50.0) that allows remote code execution when a repository with a malicious submodule is recursively cloned. The exploit leverages a crafted submodule path containing a carriage return and a malicious post-checkout hook to achieve code execution. The main payload is a simple Bash command that creates the file /tmp/fishsucks to demonstrate successful exploitation. The repository contains a Bash script (exploit.sh) that simulates the exploit process and calls a payload script (expected to be in a submodule). The README provides detailed reproduction steps and scripts for both local and GitHub-based exploitation. Key fingerprintable endpoints include the /tmp/fishsucks file (created as a marker of exploitation), the .git/modules/sub/hooks directory (used for malicious hooks), and referenced GitHub repositories for submodules. The exploit requires the target to clone the repository with submodules enabled on a vulnerable Git version, making the attack vector local (triggered by user action).

This repository is a proof-of-concept (POC) exploit for CVE-2025-48384, an improper link resolution vulnerability in Git affecting certain versions on Linux and MacOS. The exploit leverages a crafted .gitmodules file and a submodule with a malicious git hook. By manipulating the submodule path to include a carriage return and symlinking the hooks directory, arbitrary code execution can be triggered when a user clones the repository recursively. The included payload is a bash script that creates a file in the user's home directory, demonstrating successful exploitation. The repository contains a README with detailed reproduction steps, a .gitmodules file referencing the malicious submodule, and a 'sub' file representing the symlinked hooks directory. No actual exploit code is present in the repository; the exploit relies on repository structure and configuration to achieve its effect.

This repository is a proof-of-concept (POC) exploit for CVE-2025-48384, targeting a vulnerability in Git related to submodule path and configuration manipulation. The repository contains three files: a .gitmodules file with a submodule entry pointing to a potentially malicious repository, a README.md with detailed instructions for setting up the exploit scenario, and a 'sub' file referencing a path ('.git/modules/sub/hooks') likely used to demonstrate the exploit's effect. The exploit works by manipulating the submodule path to include carriage return characters and altering the submodule configuration, which may lead to arbitrary file writes or path confusion on the target system. The main capability demonstrated is the abuse of Git submodule configuration to achieve unintended file system effects, which could be leveraged for further exploitation if the target is vulnerable. No traditional code files or payloads are present; the exploit is configuration-based and relies on user interaction with Git commands. The endpoints involved are GitHub repository URLs used for submodule referencing and demonstration.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-48384, a vulnerability in Git affecting versions prior to specific patch releases (see affected versions). The exploit leverages a crafted .gitmodules file with a submodule path containing a carriage return (\r) character, which, due to Git's handling of configuration files, allows an attacker to place a malicious post-checkout hook in the victim's local .git/modules/sub/hooks directory. When a user clones the repository recursively, the attacker's script is executed, resulting in remote code execution (RCE) on the victim's machine. The provided payload is a simple Bash script that creates a file at /tmp/CVE-2025-48384 to demonstrate code execution. The repository contains a README.md with detailed technical explanation, a .gitmodules file with the malicious path, and a reference to a submodule. The exploit targets Linux/Unix systems running vulnerable Git versions and requires the victim to perform a recursive clone. No network-based attack vector is present; the attack is triggered by local actions during repository cloning.

This repository contains a single file, 'post-checkout', which is a bash script intended to be used as a git hook. When executed (typically after a git checkout operation), it initiates a reverse shell from the victim's machine to the attacker's machine at 192.168.0.115 on TCP port 55553. The script leverages bash's ability to open TCP connections via /dev/tcp. The exploit is operational, as it provides a working reverse shell payload, but it requires the attacker to place the script in a location where it will be executed by the victim (e.g., as a malicious git hook). There are no references to specific CVEs or products, and the attack vector is local, relying on social engineering or supply chain compromise to achieve execution.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-48384, a vulnerability in Git related to submodule handling. The repository itself contains minimal files: a .gitmodules file referencing a malicious submodule, a README.md with usage instructions and explanation, and a 'sub' file indicating the submodule path. The exploit works by having a user clone the repository with submodules enabled and the file protocol allowed, which causes Git to fetch and initialize a submodule from a remote repository. The submodule contains a post-checkout hook (payload) that is executed, resulting in remote code execution (RCE) on the user's system. The actual payload is not present in this repository but is referenced and hosted in the submodule repository. No code files are present in this repository; the exploit relies on Git's submodule and hook mechanisms. The main attack vector is local, triggered by a user action (cloning the repository).

This repository is a proof-of-concept (POC) exploit for CVE-2025-48384, targeting vulnerable versions of git. The repository contains three files: a .gitmodules file that defines a submodule with a malicious configuration, a README.md that explains how to trigger the exploit, and a 'sub' file that appears to be a placeholder or reference to a submodule directory. The exploit works by instructing the user to clone the repository recursively with a vulnerable git version. Upon doing so, a file named /tmp/sectest will be created on the system, demonstrating the ability to perform arbitrary file writes via submodule abuse. No traditional code files are present; the exploit is implemented through git configuration and repository structure manipulation. The only fingerprintable endpoint is the file path /tmp/sectest, which is used to demonstrate successful exploitation.

This repository is a proof-of-concept (POC) exploit for CVE-2025-48384, a vulnerability in Git that allows remote code execution (RCE) when cloning a repository with a malicious submodule path containing a carriage return character. The exploit leverages a specially crafted .gitmodules file and submodule configuration to execute arbitrary code on the target system during a recursive clone operation. The README.md contains detailed reproduction steps and scripts (in fish shell) that demonstrate the vulnerability by creating a file (/tmp/fishsucks) on the target system. The repository structure is minimal, with the main exploit logic described in the README and a .gitmodules file referencing a malicious submodule. The attack vector is network-based, requiring the victim to clone the repository with submodules enabled. The exploit targets vulnerable versions of Git (e.g., 2.50.0) on Linux platforms.