Critical severityNVD Advisory· Published Nov 7, 2024· Updated Apr 15, 2026

CVE-2024-51990

Description

jj, or Jujutsu, is a Git-compatible VCS written in rust. In affected versions specially crafted Git repositories can cause jj to write files outside the clone. This issue has been addressed in version 0.23.0. Users are advised to upgrade. Users unable to upgrade should avoid cloning repos from unknown sources.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
jj-libcrates.io	< 0.23.0	0.23.0

Patches

5de285f5eb72

https://github.com/martinvonz/jjvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-88h5-6w7m-5w56ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-51990ghsaADVISORY
github.com/martinvonz/jj/security/advisories/GHSA-88h5-6w7m-5w56nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000