Skip to content

Added .yar to cover CVE_2025_48384 #452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vinieger wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added .yar to cover CVE_2025_48384 #452

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions cve_rules/CVE-2025-48384.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/

rule CVE_2025_48384_Git_Submodule_Path_CR {
meta:
description = "Detects .gitmodules entries with submodule paths containing a trailing CR causing Git to write an incorrect submodule entry and enabling subsequent hook injection - indicator of supply chain compromise (via compromised submodule), as in CVE-2025-48384."
author = "Vinicius Egerland"
cve = "CVE-2025-48384"
ghsa = "GHSA-vwqx-4fm8-6qc9"
poc_reference = "https://github.com/vinieger/CVE-2025-48384"
date = "2025-09-15"
severity = "medium"
tags = "git CVE-2025-48384 GHSA-vwqx-4fm8-6qc9 T1195.002"

strings:
$section = "[submodule \"" ascii
$path = /\s*path\s*=\s*(".+"|[^\s]+)\r"/ ascii nocase

condition:
$section and $path and filesize < 20KB
}