Bug 2378808 (CVE-2025-48385)

Summary: CVE-2025-48385 git: Git arbitrary file writes
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, crizzo, dfreiber, drow, jburrell, jmitchel, jtanner, kshier, omaciel, sdawley, stcannon, vkumar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A bundled uri handling flaw was found in Git. When cloning a repository, Git knows to optionally fetch a bundle advertised by the remote server, which allows the server side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2378824, 2378826, 2378825, 2378827    
Bug Blocks:    

Description OSIDB Bzimport 2025-07-08 19:01:18 UTC 
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Comment 2 errata-xmlrpc 2025-07-21 14:45:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:11462 https://access.redhat.com/errata/RHSA-2025:11462
Comment 3 errata-xmlrpc 2025-07-22 12:00:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:11533 https://access.redhat.com/errata/RHSA-2025:11533
Comment 4 errata-xmlrpc 2025-07-22 13:19:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:11534 https://access.redhat.com/errata/RHSA-2025:11534
Comment 5 errata-xmlrpc 2025-07-24 07:46:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:11686 https://access.redhat.com/errata/RHSA-2025:11686
Comment 6 errata-xmlrpc 2025-07-28 01:14:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:11795 https://access.redhat.com/errata/RHSA-2025:11795
Comment 7 errata-xmlrpc 2025-07-28 01:25:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:11794 https://access.redhat.com/errata/RHSA-2025:11794
Comment 8 errata-xmlrpc 2025-08-07 06:31:16 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2025:13276 https://access.redhat.com/errata/RHSA-2025:13276
Comment 9 errata-xmlrpc 2025-08-13 05:49:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:13325 https://access.redhat.com/errata/RHSA-2025:13325
Comment 12 errata-xmlrpc 2025-08-20 07:11:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2025:13933 https://access.redhat.com/errata/RHSA-2025:13933
Comment 17 errata-xmlrpc 2025-08-27 21:45:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:14059 https://access.redhat.com/errata/RHSA-2025:14059
Comment 18 errata-xmlrpc 2025-08-27 21:45:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:14396 https://access.redhat.com/errata/RHSA-2025:14396
Comment 19 errata-xmlrpc 2025-09-04 17:04:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:14853 https://access.redhat.com/errata/RHSA-2025:14853
Comment 20 errata-xmlrpc 2025-09-04 17:04:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:14858 https://access.redhat.com/errata/RHSA-2025:14858
Comment 21 errata-xmlrpc 2025-09-15 15:13:24 UTC 
This issue has been addressed in the following products:

  Red Hat Web Terminal 1.12 on RHEL 9

Via RHSA-2025:15827 https://access.redhat.com/errata/RHSA-2025:15827
Comment 22 errata-xmlrpc 2025-09-15 15:14:14 UTC 
This issue has been addressed in the following products:

  Red Hat Web Terminal 1.11 on RHEL 9

Via RHSA-2025:15828 https://access.redhat.com/errata/RHSA-2025:15828
Comment 23 errata-xmlrpc 2025-09-18 05:45:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:15672 https://access.redhat.com/errata/RHSA-2025:15672