VYPR
Vendor

Gitoxide

Products
2
CVEs
10
Across products
10
Status
Private

Products

2

Recent CVEs

10
  • CVE-2024-35186HigMay 23, 2024
    risk 0.50cvss 8.8epss 0.01

    gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads…

  • CVE-2026-40034HigMay 26, 2026
    risk 0.44cvss 7.8epss 0.00

    gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in…

  • CVE-2024-40644MedJul 18, 2024
    risk 0.37cvss 6.8epss 0.00

    gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative…

  • CVE-2024-32884MedApr 26, 2024
    risk 0.35cvss 6.4epss 0.01

    gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited,…

  • CVE-2024-45405MedSep 6, 2024
    risk 0.32cvss 6.0epss 0.00

    `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly…

  • CVE-2024-35197MedMay 23, 2024
    risk 0.28cvss 5.4epss 0.00

    gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite…

  • CVE-2025-22620MedJan 20, 2025
    risk 0.26cvss 5.0epss 0.00

    gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject…

  • CVE-2024-43785LowAug 22, 2024
    risk 0.16cvss 2.5epss 0.00

    gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape…

  • CVE-2024-45305LowSep 2, 2024
    risk 0.09cvss 2.5epss 0.00

    gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide…

  • CVE-2026-0810Jan 26, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings…