CVE-2024-32884
published 2024-04-26CVE-2024-32884: gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would…
PriorityP340medium6.4CVSS 3.1
AVNACHPRLUINSUCHILAL
EPSS
0.51%
39.8th percentile
gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| byron | gitoxide | < 0.42.0 | 0.42.0 |
| byron | gitoxide | < 0.62 | 0.62 |
| byron | gitoxide | < 0.35 | 0.35 |
| byron | gitoxide | >= 0 < 0.35 | 0.35 |
| gitoxidelabs | gix-transport | < 0.36.1 | 0.36.1 |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-9_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_rust_1.72.0-10_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rust_1.72.0-8_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
ghsa6.4MEDIUM
osv6.4MEDIUM
vendor_msrc6.4MEDIUM
vendor_redhat4.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Duplicate Advisory: gix-transport code execution vulnerability
osv·2025-07-28·CVSS 6.4
CVE-2024-32884 [MEDIUM] Duplicate Advisory: gix-transport code execution vulnerability
Duplicate Advisory: gix-transport code execution vulnerability
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-rrjw-j4m2-mf34. This link is maintained to preserve external references.
### Original Description
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.
OSV
CVE-2023-53158: The gix-transport crate before 0
osv·2025-07-28·CVSS 4.1
CVE-2023-53158 [MEDIUM] CVE-2023-53158: The gix-transport crate before 0
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.
GHSA
Duplicate Advisory: gix-transport code execution vulnerability
ghsa·2025-07-28·CVSS 6.4
CVE-2024-32884 [MEDIUM] CWE-78 Duplicate Advisory: gix-transport code execution vulnerability
Duplicate Advisory: gix-transport code execution vulnerability
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-rrjw-j4m2-mf34. This link is maintained to preserve external references.
### Original Description
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.
OSV
gix-transport indirect code execution via malicious username
osv·2024-04-15
CVE-2024-32884 [MEDIUM] gix-transport indirect code execution via malicious username
gix-transport indirect code execution via malicious username
### Summary
`gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.
### Details
This is related to the patched vulnerability https://github.com/advisories/GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, `gix-transport` checks the host and path portions of a URL for text that has a `-` in a position that will cause `ssh` to int
GHSA
gix-transport indirect code execution via malicious username
ghsa·2024-04-15
CVE-2024-32884 [MEDIUM] CWE-77 gix-transport indirect code execution via malicious username
gix-transport indirect code execution via malicious username
### Summary
`gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.
### Details
This is related to the patched vulnerability https://github.com/advisories/GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, `gix-transport` checks the host and path portions of a URL for text that has a `-` in a position that will cause `ssh` to int
OSV
gix-transport indirect code execution via malicious username
osv·2024-04-13
CVE-2024-32884 gix-transport indirect code execution via malicious username
gix-transport indirect code execution via malicious username
### Summary
`gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.
The first `gix` crate with the fix [is version 0.62.0](https://crates.io/crates/gix/0.62.0), and the first fixed `gix` CLI is [version 0.35](https://github.com/Byron/gitoxide/releases/tag/v0.35.0). `gix-transport` [at version v0.42](https://crates.io/crates/gix-transport/0.42.0) is the lowest-level plumbing crate with the fix.
### Details
Th
Red Hat
gix-transport: gix Command Execution Vulnerability
vendor_redhat·2025-07-28·CVSS 4.1
CVE-2023-53158 [MEDIUM] CWE-78 gix-transport: gix Command Execution Vulnerability
gix-transport: gix Command Execution Vulnerability
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.
A flaw was found in gix-transport. The handling of clone URLs by the crate allows an attacker to execute arbitrary commands by injecting a malicious substring into the URL, specifically through the `ssh` protocol and `ProxyCommand` option. This vulnerability allows a local attacker to trigger command execution by providing a crafted URL containing the "gix clone 'ssh://-oProxyCommand=open$IFS" sequence, resulting in the execution of commands as the user running the `gix`
Microsoft
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnera
vendor_msrc·2025-07-08·CVSS 4.1
CVE-2023-53158 [MEDIUM] CWE-78 The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnera
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more informati
Microsoft
gix-transport indirect code execution via malicious username
vendor_msrc·2024-04-09·CVSS 6.4
CVE-2024-32884 [MEDIUM] CWE-77 gix-transport indirect code execution via malicious username
gix-transport indirect code execution via malicious username
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: ht
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-26
Published