CVE-2025-22620
published 2025-01-20CVE-2025-22620: gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files…
PriorityP420medium5CVSS 3.1
AVLACLPRLUIRSUCNIHAN
EPSS
0.36%
28.0th percentile
gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rust-gix-worktree-state | < rust-gix-worktree-state 0.11.1-2 (forky) | rust-gix-worktree-state 0.11.1-2 (forky) |
| gitoxidelabs | gitoxide | < 0.17.0 | 0.17.0 |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
gix-worktree-state nonexclusive checkout sets executable files world-writable
ghsa·2025-01-21
CVE-2025-22620 [MEDIUM] CWE-281 gix-worktree-state nonexclusive checkout sets executable files world-writable
gix-worktree-state nonexclusive checkout sets executable files world-writable
### Summary
`gix-worktree-state` specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations.
### Details
Git repositories track executable bits for regular files. In tree objects and the index, regular file modes are stored as 0644 if not executable, or 0755 if executable. But this is independent of how the permissions are set in the filesystem (where supported).
[`gix_worktree_state::checkout`](https://github.com/GitoxideLabs/gitoxide/blob/8d84818240d44e1f5fe78a231b5d9bffd0283918/gix-worktree
OSV
gix-worktree-state nonexclusive checkout sets executable files world-writable
osv·2025-01-21
CVE-2025-22620 [MEDIUM] gix-worktree-state nonexclusive checkout sets executable files world-writable
gix-worktree-state nonexclusive checkout sets executable files world-writable
### Summary
`gix-worktree-state` specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations.
### Details
Git repositories track executable bits for regular files. In tree objects and the index, regular file modes are stored as 0644 if not executable, or 0755 if executable. But this is independent of how the permissions are set in the filesystem (where supported).
[`gix_worktree_state::checkout`](https://github.com/GitoxideLabs/gitoxide/blob/8d84818240d44e1f5fe78a231b5d9bffd0283918/gix-worktree
OSV
CVE-2025-22620: gitoxide is an implementation of git written in Rust
osv·2025-01-20·CVSS 5.0
CVE-2025-22620 [MEDIUM] CVE-2025-22620: gitoxide is an implementation of git written in Rust
gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.
OSV
gix-worktree-state nonexclusive checkout sets executable files world-writable
osv·2025-01-18
CVE-2025-22620 gix-worktree-state nonexclusive checkout sets executable files world-writable
gix-worktree-state nonexclusive checkout sets executable files world-writable
### Summary
`gix-worktree-state` specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations.
### Details
Git repositories track executable bits for regular files. In tree objects and the index, regular file modes are stored as 0644 if not executable, or 0755 if executable. But this is independent of how the permissions are set in the filesystem (where supported).
[`gix_worktree_state::checkout`](https://github.com/GitoxideLabs/gitoxide/blob/8d84818240d44e1f5fe78a231b5d9bffd0283918/gix-worktree
Debian
CVE-2025-22620: rust-gix-worktree-state - gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-workt...
vendor_debian·2025·CVSS 5.0
CVE-2025-22620 [MEDIUM] CVE-2025-22620: rust-gix-worktree-state - gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-workt...
gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.
Scope: local
forky: resolved (fixed in 0.11.1-2)
sid: resolved (fixed in 0.11.1-2)
trixie: resolved (fixed in 0.11.1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-20
Published