VYPR
Medium severity6.8NVD Advisory· Published Apr 4, 2025· Updated Apr 15, 2026

CVE-2025-31130

CVE-2025-31130

Description

gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gix-featurescrates.io
< 0.41.00.41.0
gix-commitgraphcrates.io
< 0.27.00.27.0
gix-indexcrates.io
< 0.39.00.39.0
gix-objectcrates.io
< 0.48.00.48.0
gix-odbcrates.io
< 0.68.00.68.0
gix-packcrates.io
< 0.58.00.58.0
gitoxidecrates.io
< 0.42.00.42.0
gitoxide-corecrates.io
< 0.46.00.46.0
gixcrates.io
< 0.71.00.71.0
gix-archivecrates.io
< 0.20.00.20.0
gix-blamecrates.io
< 0.1.00.1.0
gix-configcrates.io
< 0.44.00.44.0
gix-diffcrates.io
< 0.51.00.51.0
gix-dircrates.io
< 0.13.00.13.0
gix-discovercrates.io
< 0.39.00.39.0
gix-filtercrates.io
< 0.18.00.18.0
gix-fsckcrates.io
< 0.10.00.10.0
gix-mergecrates.io
< 0.4.00.4.0
gix-negotiatecrates.io
< 0.19.00.19.0
gix-protocolcrates.io
< 0.49.00.49.0
gix-refcrates.io
< 0.51.00.51.0
gix-revisioncrates.io
< 0.33.00.33.0
gix-revwalkcrates.io
< 0.19.00.19.0
gix-statuscrates.io
< 0.18.00.18.0
gix-traversecrates.io
< 0.45.00.45.0
gix-worktreecrates.io
< 0.40.00.40.0
gix-worktree-statecrates.io
< 0.18.00.18.0

Affected products

36

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.