Medium severity6.4NVD Advisory· Published Apr 26, 2024· Updated Apr 15, 2026

CVE-2024-32884

Description

gitoxide is a pure Rust implementation of Git. gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
gix-transportcrates.io	< 0.42.0	0.42.0
gixcrates.io	< 0.62	0.62
gitoxidecrates.io	< 0.35	0.35

Patches

d248e3d87d45

https://github.com/byron/gitoxidevia osv

095c6739b272

https://github.com/byron/gitoxidevia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-98p4-xjmm-8mfhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-32884ghsaADVISORY
github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfhnvdWEB
rustsec.org/advisories/RUSTSEC-2024-0335.htmlnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000