VYPR
Medium severity6.4OSV Advisory· Published Apr 26, 2024· Updated Apr 15, 2026

CVE-2024-32884

CVE-2024-32884

Description

gitoxide is a pure Rust implementation of Git. gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gix-transportcrates.io
< 0.42.00.42.0
gixcrates.io
< 0.620.62
gitoxidecrates.io
< 0.350.35

Affected products

8

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.