This post has been republished via RSS; it originally appeared at: MSRC Security Update Guide.
[CVE-2025-48384](https://www.cve.org/CVERecord?id=CVE-2025-48384) is regarding a vulnerability in Git where when reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. MITRE created this CVE on their behalf. The documented Visual Studio updates incorporate updates in Git which address this vulnerability. Please see [CVE-2025-48384](https://www.cve.org/CVERecord?id=CVE-2025-48384) for more information.
Opinions, tips, and news orbiting Microsoft