Microsoft Visual Studio update for Git

1) Input validation error

EUVDB-ID: #VU112638

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-48385

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected client.

The vulnerability exists due to insufficient validation of bundle-uri parameter when cloning a repository. A remote attacker can trick the victim into cloning a specially crafted repository, perform a protocol injection attack and write code to arbitrary locations on the system, leading to remote code execution. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

Visual Studio: 16.11.0 16.11.31605.320 - 17.12.9 17.12.9

CPE2.3

• cpe:2.3:a:microsoft:visual_studio:16.11.0:16.11.31605.320:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.1:16.11.31613.86:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.2:16.11.31624.102:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.3:16.11.31702.278:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.4:16.11.31727.386:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.5:16.11.31729.503:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.6:16.11.31829.152:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.7:16.11.31911.196:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.8:16.11.32002.261:*:*:*:*:*:*
• cpe:2.3:a:microsoft:visual_studio:16.11.9:16.11.32106.194:*:*:*:*:*:*

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-48385

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.