www.root.io Root Security Bulletin - CVE: CVE-2025-48384 Date: August 26, 2025 Severity: High (CVSS v3.1 Score: 8.0)
Overview
A critical Git vulnerability, CVE-2025-48384, has been identified and is actively exploited in the wild, now listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. This flaw enables remote code execution (RCE) through malicious repositories and poses a significant risk to developers and CI/CD pipelines across Linux and macOS systems. Windows installations are unaffected due to filesystem restrictions.
The vulnerability impacts all Git versions prior to the patched releases issued on July 8, 2025. While Ubuntu responded immediately with security advisories, Debian has marked the issue "no-dsa," delaying fixes until future point releases—leaving many Debian-based environments exposed.
Technical Details
The vulnerability arises from an inconsistency in Git's configuration parsing logic:
When reading config values, Git strips trailing CRLF characters.
When writing, values with trailing carriage returns (CR) are not properly quoted, leading to discrepancies when read back.
Attackers can exploit this by creating malicious .gitmodules files with submodule paths ending in CR characters. When combined with symlinked hooks directories and executable post-checkout hooks, this enables arbitrary file writes and ultimately remote code execution.
Exploitation scenario: Victims running git clone --recursive on a malicious repository may initialize submodules in unintended filesystem locations. Security researchers (liamg, acheong08, and others) have published proof-of-concept exploits validating the attack's real-world impact.
Affected versions:
Git versions prior to v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1
Systems: Linux, macOS (where control characters are allowed in filenames)
Not affected: Windows
CVSS v3.1 Vector: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Base Score: 8.0 (High)
Impact
Active exploitation confirmed: CISA added CVE-2025-48384 to its KEV catalog on August 25, 2025, with a remediation deadline of September 15, 2025 for U.S. federal agencies.
Developer tools at risk: GitHub Desktop for macOS is particularly vulnerable due to its default use of recursive cloning.
Distribution disparity: Ubuntu issued immediate advisories and patches, while Debian deferred remediation, leaving production systems running Bookworm, Bullseye, or Trixie without timely fixes.
This uneven patching cadence underscores the supply chain risks when critical open-source infrastructure receives inconsistent remediation across ecosystems.
Timeline
July 8, 2025: Git project discloses CVE-2025-48384 and issues patched releases across eight version branches.
July 9-15, 2025: Security researchers publish multiple proof-of-concept exploits, confirming real-world exploitability.
August 8, 2025: Root tested, backported, and deployed patches for Debian Bookworm, Bullseye, Trixie, and all Slim variants, delivering them seamlessly across all Root users' environments without disruption.
August 15, 2025: Debian marked the issue as "no-dsa," opting for remediation only in future point releases.
August 25, 2025: CISA added CVE-2025-48384 to the KEV catalog, mandating U.S. federal agencies remediate by September 15.
Recommendations
For Debian Users
Confirm exposure: Determine if your systems use the git package maintained by Debian. Tools like Trivy or enterprise vulnerability scanners can quickly verify vulnerable versions.
Short-term mitigations:
Avoid git clone --recursive on untrusted repositories.
Inspect .gitmodules files before initializing submodules.
Consider compiling patched versions of Git from source where feasible.
For Root Users
Customers using Root's Agentic Vulnerability Remediation (AVR) platform are already protected. Root delivered patched and backported Git packages on August 8, 2025, covering Debian Bookworm, Bullseye, Trixie, and all Slim variants. Patches were deployed seamlessly across all user environments without disruption.
Users can verify their protection in the Artifact Explorer or trigger an on-demand remediation in under five minutes.
Extended availability: Root's patched versions are also accessible through partners such as Aikido and scanners using Trivy, where advanced tier subscribers receive immediate coverage.
For Non-Customers
Get free remediation: Sign up at app.root.io to remediate affected images and push them back to your repositories at no cost.
Root's Approach
Root’s Agentic Vulnerability Remediation (AVR) technology leverages AI-driven automation overseen by security experts, replicating the decision-making of seasoned engineers at scale.
The platform operates in five phases:
Assessment – Mapping CVEs across known databases.
Recommendation – Identifying the optimal remediation path.
Application – Applying and backporting security patches where needed.
Validation – Rigorous testing against public frameworks.
Deployment – Delivering fully remediated, auditable images.
Unlike traditional vulnerability scanners, Root fixes vulnerabilities proactively—eliminating false positives, providing comprehensive SBOMs and VEX statements, and reducing remediation time to minutes.
Conclusion
CVE-2025-48384 highlights both the responsiveness of the Git project and the uneven patching practices across Linux distributions. While upstream patches were released promptly, Debian's deferred remediation created a critical exposure window that attackers are already exploiting.
Organizations relying on Debian-based containers cannot afford to wait for delayed point releases. Automated remediation platforms like Root AVR bridge this gap by providing continuous, proactive protection at container-build speeds—ensuring development teams remain secure without sacrificing velocity.
For broader industry analysis of what this vulnerability reveals about modern security approaches, see our blog post: CVE- 2025-48384: The Git Vulnerability That's Exposing a Broken System.
Take action now: Explore Root's remediation for CVE-2025-48384 at app.root.io
techcrunch.com Zack Whittaker
11:15 AM PDT · August 29, 2025
A spyware vendor was behind a recent campaign that abused a vulnerability in WhatsApp to deliver an exploit capable of hacking into iPhones and Macs.
WhatsApp said on Friday that it fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into the Apple devices of “specific targeted users.”
The Meta-owned messaging app giant said in its security advisory that it fixed the vulnerability, known officially as CVE-2025-55177, which was used alongside a separate flaw found in iOS and Macs, which Apple fixed last week and tracks as CVE-2025-43300.
Apple said at the time that the flaw was used in an “extremely sophisticated attack against specific targeted individuals.” Now we know that dozens of WhatsApp users were targeted with this pair of flaws.
Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab, described the attack in a post on X as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May. Ó Cearbhaill described the pair of bugs as a “zero-click” attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device.
The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that’s capable of stealing data from the user’s Apple device.
Per Ó Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to “compromise your device and the data it contains, including messages.”
It’s not immediately clear who, or which spyware vendor, is behind the attacks.
When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw “a few weeks ago” and that the company sent “less than 200” notifications to affected WhatsApp users.
The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.
This is not the first time that WhatsApp users have been targeted by government spyware, a kind of malware capable of breaking into fully patched devices with vulnerabilities not known to the vendor, known as zero-day flaws.
In May, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that broke into the devices of more than 1,400 WhatsApp users with an exploit capable of planting NSO’s Pegasus spyware. WhatsApp brought the legal case against NSO, citing a breach of federal and state hacking laws, as well as its own terms of service.
Earlier this year, WhatsApp disrupted a spyware campaign that targeted around 90 users, including journalists and members of civil society across Italy. The Italian government denied its involvement in the spying campaign. Paragon, whose spyware was used in the campaign, later cut off Italy from its hacking tools for failing to investigate the abuse.
