Medium severity6.8NVD Advisory· Published Apr 4, 2025· Updated Apr 15, 2026
CVE-2025-31130
CVE-2025-31130
Description
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gix-featurescrates.io | < 0.41.0 | 0.41.0 |
gix-commitgraphcrates.io | < 0.27.0 | 0.27.0 |
gix-indexcrates.io | < 0.39.0 | 0.39.0 |
gix-objectcrates.io | < 0.48.0 | 0.48.0 |
gix-odbcrates.io | < 0.68.0 | 0.68.0 |
gix-packcrates.io | < 0.58.0 | 0.58.0 |
gitoxidecrates.io | < 0.42.0 | 0.42.0 |
gitoxide-corecrates.io | < 0.46.0 | 0.46.0 |
gixcrates.io | < 0.71.0 | 0.71.0 |
gix-archivecrates.io | < 0.20.0 | 0.20.0 |
gix-blamecrates.io | < 0.1.0 | 0.1.0 |
gix-configcrates.io | < 0.44.0 | 0.44.0 |
gix-diffcrates.io | < 0.51.0 | 0.51.0 |
gix-dircrates.io | < 0.13.0 | 0.13.0 |
gix-discovercrates.io | < 0.39.0 | 0.39.0 |
gix-filtercrates.io | < 0.18.0 | 0.18.0 |
gix-fsckcrates.io | < 0.10.0 | 0.10.0 |
gix-mergecrates.io | < 0.4.0 | 0.4.0 |
gix-negotiatecrates.io | < 0.19.0 | 0.19.0 |
gix-protocolcrates.io | < 0.49.0 | 0.49.0 |
gix-refcrates.io | < 0.51.0 | 0.51.0 |
gix-revisioncrates.io | < 0.33.0 | 0.33.0 |
gix-revwalkcrates.io | < 0.19.0 | 0.19.0 |
gix-statuscrates.io | < 0.18.0 | 0.18.0 |
gix-traversecrates.io | < 0.45.0 | 0.45.0 |
gix-worktreecrates.io | < 0.40.0 | 0.40.0 |
gix-worktree-statecrates.io | < 0.18.0 | 0.18.0 |
Affected products
36- osv-coords36 versionspkg:apk/chainguard/cargo-auditpkg:apk/chainguard/cargo-cpkg:apk/chainguard/helixpkg:apk/chainguard/starshippkg:apk/wolfi/cargo-auditpkg:apk/wolfi/cargo-cpkg:apk/wolfi/helixpkg:apk/wolfi/starshippkg:cargo/gitoxidepkg:cargo/gitoxide-corepkg:cargo/gixpkg:cargo/gix-archivepkg:cargo/gix-blamepkg:cargo/gix-commitgraphpkg:cargo/gix-configpkg:cargo/gix-diffpkg:cargo/gix-dirpkg:cargo/gix-discoverpkg:cargo/gix-featurespkg:cargo/gix-filterpkg:cargo/gix-fsckpkg:cargo/gix-indexpkg:cargo/gix-mergepkg:cargo/gix-negotiatepkg:cargo/gix-objectpkg:cargo/gix-odbpkg:cargo/gix-packpkg:cargo/gix-protocolpkg:cargo/gix-refpkg:cargo/gix-revisionpkg:cargo/gix-revwalkpkg:cargo/gix-statuspkg:cargo/gix-traversepkg:cargo/gix-worktreepkg:cargo/gix-worktree-statepkg:rpm/opensuse/gitoxide&distro=openSUSE%20Tumbleweed
< 0.22.0-r0+ 35 more
- (no CPE)range: < 0.22.0-r0
- (no CPE)range: < 0.10.18-r0
- (no CPE)range: < 25.01.1-r1
- (no CPE)range: < 1.24.0-r0
- (no CPE)range: < 0.22.0-r0
- (no CPE)range: < 0.10.18-r0
- (no CPE)range: < 25.01.1-r1
- (no CPE)range: < 1.24.0-r0
- (no CPE)range: < 0.42.0
- (no CPE)range: < 0.46.0
- (no CPE)range: < 0.71.0
- (no CPE)range: < 0.20.0
- (no CPE)range: < 0.1.0
- (no CPE)range: < 0.27.0
- (no CPE)range: < 0.44.0
- (no CPE)range: < 0.51.0
- (no CPE)range: < 0.13.0
- (no CPE)range: < 0.39.0
- (no CPE)range: < 0.41.0
- (no CPE)range: < 0.18.0
- (no CPE)range: < 0.10.0
- (no CPE)range: < 0.39.0
- (no CPE)range: < 0.4.0
- (no CPE)range: < 0.19.0
- (no CPE)range: < 0.48.0
- (no CPE)range: < 0.68.0
- (no CPE)range: < 0.58.0
- (no CPE)range: < 0.49.0
- (no CPE)range: < 0.51.0
- (no CPE)range: < 0.33.0
- (no CPE)range: < 0.19.0
- (no CPE)range: < 0.18.0
- (no CPE)range: < 0.45.0
- (no CPE)range: < 0.40.0
- (no CPE)range: < 0.18.0
- (no CPE)range: < 0.42.0-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-2frx-2596-x5r6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31130ghsaADVISORY
- github.com/GitoxideLabs/gitoxide/commit/f253f02a6658b3b7612a50d56c71f5ae4da4ca21nvdWEB
- github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6nvdWEB
- rustsec.org/advisories/RUSTSEC-2025-0021.htmlghsaWEB
News mentions
0No linked articles in our index yet.