VYPR
← All advisories
Medium severityOSV Advisory· Published Jun 25, 2025· Updated Apr 15, 2026

CVE-2025-50178

CVE-2025-50178

Description

GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 0.4.3 lack input validation for user provided values in certain functions. In the GitForge.get_repo function for GitHub, the user can provide any string for the owner and repo fields. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like ../ in the input to access any other endpoints on api.github.com that were not intended. Version 0.4.3 contains a patch for the issue. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitForge.jl before 0.4.3 lacks input validation in get_repo, allowing path traversal to access arbitrary api.github.com endpoints.

Vulnerability

Overview

GitForge.jl versions prior to 0.4.3 do not validate user-supplied input for the owner and repo parameters in the GitForge.get_repo function for GitHub. These values are directly embedded into the API request URL without sanitization, enabling path traversal sequences like ../ to be injected [1][2].

Exploitation

An attacker who can control the owner or repo arguments passed to GitForge.get_repo can craft strings such as "../octocat/Hello-World" to navigate the URL path. This allows the attacker to reach unintended endpoints on api.github.com that the library normally would not access. No authentication or special network position is required beyond the ability to supply input to the vulnerable function [1][2].

Impact

By exploiting the path traversal, an attacker can query arbitrary GitHub API endpoints, potentially accessing sensitive information or performing actions that the application's intended use of the library would not permit. The exact impact depends on the endpoints reached and the permissions of the underlying GitHub token used by the application [2].

Mitigation

The issue is fixed in GitForge.jl version 0.4.3, which adds checks to disallow path navigation and newline characters in endpoint URLs. Users should upgrade immediately; no workarounds are available [1][2].

References
  1. disallow path navigation and newlines in urls by tanmaykm · Pull Request #50 · JuliaWeb/GitForge.jl
  2. Lack of validation for user-provided fields in GitForge.jl

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
527332b8da1b
https://github.com/juliaweb/gitforge.jlvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.