diff --git a/cve_rules/CVE-2025-48384.yar b/cve_rules/CVE-2025-48384.yar
new file mode 100644
index 00000000..6784a538
--- /dev/null
+++ b/cve_rules/CVE-2025-48384.yar
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule CVE_2025_48384_Git_Submodule_Path_CR {
+    meta:
+        description = "Detects .gitmodules entries with submodule paths containing a trailing CR causing Git to write an incorrect submodule entry and enabling subsequent hook injection - indicator of supply chain compromise (via compromised submodule), as in CVE-2025-48384."
+        author = "Vinicius Egerland"
+        cve = "CVE-2025-48384"
+        ghsa = "GHSA-vwqx-4fm8-6qc9"
+        poc_reference = "https://github.com/vinieger/CVE-2025-48384"
+        date = "2025-09-15"
+        severity = "medium"
+        tags = "git CVE-2025-48384 GHSA-vwqx-4fm8-6qc9 T1195.002"
+
+    strings:
+        $section = "[submodule \"" ascii
+        $path    = /\s*path\s*=\s*(".+"|[^\s]+)\r"/ ascii nocase
+
+    condition:
+        $section and $path and filesize < 20KB
+}