VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-44s3-56w5-jqhy

Essentials
Severities (13)
References (31)
Severity details (4)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-44s3-56w5-jqhy
Aliases	CVE-2025-48384
Summary	Multiple vulnerabilities have been discovered in Git, the worst of which could lead to arbitrary code execution.
Status	Published
Exploitability	2.0
Weighted Severity	7.3
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-59	Improper Link Resolution Before File Access ('Link Following')
CWE-436	Interpretation Conflict

System	Score	Found at
cvssv3	8.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48384.json
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2025-48384
cvssv3.1	7.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	8.1	https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
ssvc	Attend	https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48384.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-48384
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48384
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1108983		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983
2378806		https://bugzilla.redhat.com/show_bug.cgi?id=2378806
GHSA-vwqx-4fm8-6qc9		https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
GLSA-202507-09		https://security.gentoo.org/glsa/202507-09
RHSA-2025:11462		https://access.redhat.com/errata/RHSA-2025:11462
RHSA-2025:11533		https://access.redhat.com/errata/RHSA-2025:11533
RHSA-2025:11534		https://access.redhat.com/errata/RHSA-2025:11534
RHSA-2025:11686		https://access.redhat.com/errata/RHSA-2025:11686
RHSA-2025:11688		https://access.redhat.com/errata/RHSA-2025:11688
RHSA-2025:11793		https://access.redhat.com/errata/RHSA-2025:11793
RHSA-2025:11794		https://access.redhat.com/errata/RHSA-2025:11794
RHSA-2025:11795		https://access.redhat.com/errata/RHSA-2025:11795
RHSA-2025:11796		https://access.redhat.com/errata/RHSA-2025:11796
RHSA-2025:11800		https://access.redhat.com/errata/RHSA-2025:11800
RHSA-2025:11801		https://access.redhat.com/errata/RHSA-2025:11801
RHSA-2025:13276		https://access.redhat.com/errata/RHSA-2025:13276
RHSA-2025:13325		https://access.redhat.com/errata/RHSA-2025:13325
RHSA-2025:13933		https://access.redhat.com/errata/RHSA-2025:13933
RHSA-2025:14059		https://access.redhat.com/errata/RHSA-2025:14059
RHSA-2025:14396		https://access.redhat.com/errata/RHSA-2025:14396
RHSA-2025:14853		https://access.redhat.com/errata/RHSA-2025:14853
RHSA-2025:14858		https://access.redhat.com/errata/RHSA-2025:14858
RHSA-2025:15308		https://access.redhat.com/errata/RHSA-2025:15308
RHSA-2025:15672		https://access.redhat.com/errata/RHSA-2025:15672
RHSA-2025:15827		https://access.redhat.com/errata/RHSA-2025:15827
RHSA-2025:15828		https://access.redhat.com/errata/RHSA-2025:15828
USN-7626-1		https://usn.ubuntu.com/7626-1/

Data source	KEV
Date added	Aug. 25, 2025
Description	Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.
Required action	Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due date	Sept. 15, 2025
Note	This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 ; https://access.redhat.com/errata/RHSA-2025:13933 ; https://alas.aws.amazon.com/AL2/ALAS2-2025-2941.html ; https://linux.oracle.com/errata/ELSA-2025-11534.html ; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48384 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48384
Ransomware campaign use	Unknown

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48384.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-08-26T03:55:23Z/ Found at https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9

Exploit Prediction Scoring System (EPSS)

Percentile	0.64639
EPSS Score	0.00472
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:04:36.506259+00:00	Gentoo Importer	Import	https://security.gentoo.org/glsa/202507-09	38.0.0