CVE-2024-43785
published 2024-08-22CVE-2024-43785: gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein…
PriorityP49low2.5CVSS 3.1
AVLACHPRNUIRSUCNILAN
EPSS
0.20%
9.8th percentile
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages when an operation fails. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| byron | gitoxide | <= 0.41.0 | — |
| byron | gitoxide | 0 – 0.41.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting
ghsa·2025-09-10
CVE-2025-43785 [MEDIUM] CWE-79 Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting
Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting
A stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks page.
OSV
gitoxide-core does not neutralize special characters for terminals
osv·2024-08-22
CVE-2024-43785 gitoxide-core does not neutralize special characters for terminals
gitoxide-core does not neutralize special characters for terminals
### Summary
The `gix` and `ein` commands write pathnames and other metadata literally to terminals, even if they contain characters terminals treat specially, including ANSI escape sequences. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages.
### Details
`gitoxide-core`, which provides most underlying functionality of the `gix` and `ein` commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages wh
OSV
gitoxide-core does not neutralize special characters for terminals
osv·2024-08-22
CVE-2024-43785 [LOW] gitoxide-core does not neutralize special characters for terminals
gitoxide-core does not neutralize special characters for terminals
### Summary
The `gix` and `ein` commands write pathnames and other metadata literally to terminals, even if they contain characters terminals treat specially, including ANSI escape sequences. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages.
### Details
`gitoxide-core`, which provides most underlying functionality of the `gix` and `ein` commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages wh
GHSA
gitoxide-core does not neutralize special characters for terminals
ghsa·2024-08-22
CVE-2024-43785 [LOW] CWE-150 gitoxide-core does not neutralize special characters for terminals
gitoxide-core does not neutralize special characters for terminals
### Summary
The `gix` and `ein` commands write pathnames and other metadata literally to terminals, even if they contain characters terminals treat specially, including ANSI escape sequences. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages.
### Details
`gitoxide-core`, which provides most underlying functionality of the `gix` and `ein` commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages wh
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-22
Published