CVE-2025-48385
Git alllows arbitrary file writes via bundle-uri parameter injectionGit is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
We have discovered 546 live websites that are affected by CVE-2025-48385.
Affected Software
| Product |  git |
| Category | Dev Tools |
| Vulnerable Domains | 546 live websites (89% of git install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 31 versions ( 79% of all versions) |
Common Weakness Enumeration
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')Details
- Published - Jul 8, 2025
- Updated - Nov 4, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-48385 United States | 124 websites |
 Germany | 168 websites |
 Singapore | 65 websites |
 France | 63 websites |
 GB | 23 websites |
 Netherlands | 13 websites |
 Switzerland | 10 websites |
 Denmark | 8 websites |
 Austria | 7 websites |
 Australia | 7 websites |
Website Distribution by TLD
Number of websites using CVE-2025-48385| .org | 157 websites |
| .com | 108 websites |
| .de | 67 websites |
| .net | 65 websites |
| .fr | 11 websites |
| .org.uk | 7 websites |
| .at | 6 websites |
| .ch | 6 websites |
| .nl | 6 websites |
| .eu | 6 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-48385
Top websites that are affected by CVE-2025-48385. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.***********.org | United States | **,*** | |
| ***.******.org | United States | **,*** | |
| ****.**.cz | Germany | **,*** | |
| ***.********.org | France | **,*** | |
| ****.**.io |  Finland | ***,*** | |
| ***.**********.org | Austria | ***,*** | |
| ***.********.org | United States | ***,*** | |
| ***.*****.org | Germany | ***,*** | |
| *******.org | France | ***,*** | |
| ***.*****.com | United States | ***,*** |
FAQ
CVE-2025-48385 is Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in git
A total of 546 websites have been identified as vulnerable to CVE-2025-48385, based on global website indexing conducted by WebTechSurvey.
The git is affected by the CVE-2025-48385 vulnerability.
git versions up to 2.50.1 are vulnerable to CVE-2025-48385.
CVE-2025-48385 is resolved in version 2.50.1 of git.