VYPR
High severity8.8OSV Advisory· Published May 23, 2024· Updated Apr 15, 2026

CVE-2024-35186

CVE-2024-35186

Description

gitoxide is a pure Rust implementation of Git. During checkout, gix-worktree-state does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gix-worktree-statecrates.io
< 0.11.00.11.0
gitoxidecrates.io
< 0.36.00.36.0
gix-fscrates.io
< 0.11.00.11.0
gix-worktreecrates.io
< 0.34.00.34.0
gixcrates.io
< 0.63.00.63.0
gitoxide-corecrates.io
< 0.38.00.38.0
gix-indexcrates.io
< 0.33.00.33.0

Affected products

13

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.