VYPR
← All advisories
Medium severityOSV Advisory· Published Jun 25, 2025· Updated Apr 15, 2026

CVE-2025-52569

CVE-2025-52569

Description

GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 5.9.1 lack input validation of input validation for user-provided values in certain functions. In the GitHub.repo() function, the user can provide any string for the repo_name field. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like ../ in the input to access any other endpoints on api.github.com that were not intended. Users should upgrade immediately to v5.9.1 or later to receive a patch. All prior versions are vulnerable. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitForge.jl (GitHub.jl) before v5.9.1 lacks input validation, allowing path traversal via repo_name to access arbitrary api.github.com endpoints.

Vulnerability

CVE-2025-52569 describes a lack of input validation in GitForge.jl (specifically the GitHub.jl package) prior to version 5.9.1. The GitHub.repo() function accepts a user-provided string for the repo_name field without sanitization or safe encoding [1][2]. This field is directly interpolated into API URLs sent to api.github.com.

Exploitation

An attacker can supply path traversal sequences such as ../ in the repo_name parameter. Because the input is not validated, these patterns are passed directly to the server, allowing the attacker to craft requests to unintended endpoints on api.github.com [2]. No authentication is required beyond normal API access; the attack surface is any code path that accepts user-controlled repo_name values.

Impact

Successful exploitation enables an attacker to access arbitrary API endpoints on api.github.com that were not intended to be reachable via the repo() function. This could lead to information disclosure or unauthorized operations, depending on the permissions of the authenticated API session [1][2].

Mitigation

The vulnerability is fixed in GitHub.jl version 5.9.1 (and recommended upgrade to v5.10.0). All prior versions are affected. There are no known workarounds; users must upgrade immediately [2]. The fix, implemented in pull request #224, disallows path traversal and whitespace characters in API URLs [1].

References
  1. checks for some url based attacks by tanmaykm · Pull Request #224 · JuliaWeb/GitHub.jl
  2. Lack of validation for user-provided fields in GitHub.jl

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
97a4ad1e5844
https://github.com/juliaweb/github.jlvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.