The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about an actively exploited vulnerability in the widely used Git distributed version control system. This flaw, which could allow arbitrary code execution, has already been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch their systems by September 15, 2025.
Git plays a central role in modern software development, enabling teams to track and manage code changes collaboratively. It underpins major platforms like GitHub, GitLab, and Bitbucket, making its security critical to global development ecosystems. The vulnerability, tracked as CVE-2025-48384, has been rated high severity and arises from Git’s mishandling of carriage return (\r) characters within configuration files.
The flaw results from inconsistencies in how Git reads and writes these characters, causing incorrect submodule path resolution. Attackers can exploit this by publishing malicious repositories that include submodules ending with \r combined with a crafted symlink and hook setup, leading to remote code execution on systems that clone the repository. This makes developers and organizations particularly vulnerable when pulling code from untrusted sources.
Git maintainers identified the issue on July 8, 2025, and quickly released patched versions: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. Users are strongly urged to upgrade to one of these releases immediately. For environments where patching is not feasible, experts recommend disabling recursive submodule cloning from unverified sources, globally disabling Git hooks through the core.hooksPath setting, or only permitting audited submodules.
In addition to the Git flaw, CISA also added two medium-severity vulnerabilities in Citrix Session Recording to the KEV catalog. These include CVE-2024-8068 and CVE-2024-8069, both patched by Citrix in November 2024. CVE-2024-8068 allows an authenticated user within the same Active Directory domain to escalate privileges to the NetworkService account, while CVE-2024-8069 enables remote code execution through the deserialization of untrusted data. Affected Citrix versions include 2407 hotfix 24.5.200.8 (CR), 1912 LTSR before CU9, 2203 LTSR before CU5, and 2402 LTSR before CU1.
CISA has imposed the same September 15 deadline for organizations to patch these Citrix vulnerabilities or cease using affected products. Given Git’s prominence in software development and Citrix’s role in enterprise IT environments, these vulnerabilities represent a serious security risk.
Conclusion: The exploitation of Git’s CVE-2025-48384 highlights how deeply a single flaw can impact the software supply chain. Combined with Citrix’s vulnerabilities, the urgency of CISA’s September 15 deadline cannot be overstated. Organizations that fail to patch are not just risking compliance but exposing themselves to real-world cyberattacks. Ensuring updates, disabling risky features, and enforcing strict repository hygiene are essential measures to mitigate the threat.
