{"id":"AZL-65057","summary":"CVE-2025-48384 affecting package git for versions less than 2.40.4-2","details":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.","modified":"2026-04-01T05:20:27.976561Z","published":"2025-07-08T19:15:42Z","upstream":["CVE-2025-48384"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48384"}],"affected":[{"package":{"name":"git","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/git"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.40.4-2"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-65057.json"}}],"schema_version":"1.7.5"}