CVE-2024-32884Command Injection in Gitoxide

CWE-77Command InjectionCWE-88Argument InjectionCWE-78OS Command Injection11 documents5 sources
Severity
6.4MEDIUMNVD
NVD4.1OSV4.1
EPSS
0.1%
top 79.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Byron GitoxideGitoxidelabs Gix-transportMsrc Azl3 Rust 1.75.0-14 ON Azure Linux 3.0+4 more
Timeline
PublishedApr 26
Latest updateJul 28

Description

gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appe

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:LExploitability: 1.6 | Impact: 4.7

Affected Packages8 packages

CVEListV5byron/gitoxide< 0.42.0+2
crates.iobyron/gitoxide< 0.35
CVEListV5gitoxidelabs/gix-transport< 0.36.1

🔴Vulnerability Details

6
OSV
Duplicate Advisory: gix-transport code execution vulnerability2025-07-28
OSV
CVE-2023-53158: The gix-transport crate before 02025-07-28
GHSA
Duplicate Advisory: gix-transport code execution vulnerability2025-07-28
OSV
gix-transport indirect code execution via malicious username2024-04-15
GHSA
gix-transport indirect code execution via malicious username2024-04-15

📋Vendor Advisories

3
Red Hat
gix-transport: gix Command Execution Vulnerability2025-07-28
Microsoft
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnera2025-07-08
Microsoft
gix-transport indirect code execution via malicious username2024-04-09
CVE-2024-32884 — Command Injection in Byron Gitoxide | cvebase