Falcon Defends Against Git Vulnerability CVE-2025-48384

CrowdStrike has identified active exploitation of Git vulnerability CVE-2025-48384. In the observed activity, threat actors combined sophisticated social engineering tactics with malicious Git repository cloning operations. This targeted attack chain poses a substantial risk to organizations running unpatched Git installations.

This campaign emphasizes two critical security imperatives: timely software patching and implementing a comprehensive security strategy that encompasses detection, observation, and rapid incident response capabilities.

Vulnerability Details

CVE-2025-48384 is a configuration file parsing vulnerability in Git that affects macOS and Linux operating systems. The vulnerability stems from Git’s inconsistent handling of carriage return characters when parsing configuration files and submodule paths. 

An attacker can exploit this vulnerability by crafting a Git repository including a malicious .gitmodules file that contains a submodule path with a trailing carriage return. When the repository is recursively cloned (via the command git clone --recursive), the path parsing inconsistency allows the threat actor to achieve an arbitrary file write to an attacker-specified path. By strategically placing symlinks and leveraging the carriage return confusion, attackers can write malicious content directly to the Git submodule’s hooks directory. Git then automatically executes this malicious hook script as part of the normal submodule checkout process, resulting in arbitrary code execution on the victim's system. 

A proof of concept was published soon after exploitation, highlighting the ease of exploiting this vulnerability to achieve any range of objectives on the victim’s machine. 

Exploitation in the Wild

During analysis of the social engineering activity and in-the-wild exploitation, CrowdStrike identified the following indicators associated with CVE-2025-48384:

• A malicious repository was cloned using git clone --recursive

• A post-checkout hook script was executed from one of the repository’s submodules

Figure 1 shows the executed post-checkout hook script’s content, which uses Python to execute the first-stage malware script hooks/vm.tf, extracts a TAR file to /tmp, and then deletes the submodule’s files.

CrowdStrike Falcon Coverage

The CrowdStrike Falcon® sensor’s machine learning capabilities and behavior-based detection capabilities (IOAs) can automatically detect and prevent exploitation. Additionally, a CrowdStrike Falcon® Next-Gen SIEM rule template has been made available to customers to protect against CVE-2025-48384 exploitation.

Figure 2 below shows an indicator of attack (IOA) detecting the emerging threat based on the observed artifacts of execution and carriage return abuse.

As shown in Figure 3, CrowdStrike® Charlotte AI™ is fully aware of the context of the detection. It provides additional insight into the activity and highlights the relationship to the public CVE. Charlotte AI provides the human analyst with the following “Investigative Overview” steps for action: 

• Analyze the command-line execution and its context
• Investigate the process tree and related artifacts for suspicious behavior
• Correlate user activity and permissions regarding the cloned repository
• Review the contents of the cloned repository for indicators of compromise (IOCs)

Once again, Charlotte AI is fully aware of the context of the detection and can assist the human analyst with resolving and remediating the activity (see Figure 5). Charlotte AI provides the human analyst with the following “Investigative Overview” steps for action: 

• Assess the context of the Git command execution to determine if it aligns with expected development activities
• Analyze the parent and grandparent processes to understand the sequence of operations leading to the detection
• Review the environment where the command was executed to identify any anomalies or deviations from normal usage patterns
• Correlate the detection with known vulnerabilities in Git to evaluate the potential for exploitation
• Investigate user activity and access patterns around the time of the detection to identify any suspicious behavior

Conclusion

Vulnerabilities within popular applications continue to be a significant threat to organizations around the world. This recent vulnerability in Git is no different, presenting a risk to unpatched users. 

To protect endpoints from this threat, CrowdStrike Falcon® Insight XDR customers should ensure the following prevention policy settings are enabled:

• Suspicious process prevention
• Script-based execution visibility

The Falcon Next-Gen SIEM rule template “CrowdStrike - Endpoint - Git Arbitrary Write (CVE-2025-48384)” is available for customers to alert on suspicious Git activity including the writing to disk of suspected malicious “post-checkout” files.

Appendix: Threat Hunting Queries

The following Falcon Next-Gen SIEM Advanced Event Search queries are provided to assist defenders in hunting for this and similar activity across their endpoints.

NOTE: Make sure to update the Falcon URL to the cloud in which your environment is currently configured (US1, US2, EU1, etc.)

Post-checkout script written to hooks subfolder by abnormal Git process:

Hunting for files written to disk containing potential carriage return character:

Post-checkout script file contents:

Additional Resources

• Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers, and data, wherever they are located.
• Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.