* question about affected version of CVE-2025-48385
@ 2026-01-07 5:36 Jinfeng Wang
0 siblings, 0 replies; only message in thread
From: Jinfeng Wang @ 2026-01-07 5:36 UTC (permalink / raw)
To: git
Hi all,
For this CVE https://nvd.nist.gov/vuln/detail/CVE-2025-48385,
Affected vesion listed in
https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655:
Affected versions
v2.50.0, v2.49.0, v2.48.0-v2.48.1, v2.47.0–v2.47.2, v2.46.0–v2.46.3,
v2.45.0-v2.45.3, v2.44.0–v2.44.3, v2.43.6 and prior
But I see the fix is for bundle-uri:
git log --grep="CVE-2025-48385"
commit d2bc61fcabd6cfa582d286bed1ce20d5d7c58d52
Merge: d61cfed2c2 35cb1bb0b9
Author: Taylor Blau <me@ttaylorr•com>
Date: Wed May 28 12:53:52 2025 -0400
Merge branch 'ps/bundle-uri-arbitrary-writes' into maint-2.43
This merges in the fix for CVE-2025-48385.
* ps/bundle-uri-arbitrary-writes:
bundle-uri: fix arbitrary file writes via parameter injection
But bundle-uri is added in v2.38.0, so the version before v2.38.0 is not
affected. Is that right?
Regards,
Jinfeng
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-07 5:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-07 5:36 question about affected version of CVE-2025-48385 Jinfeng Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox