cbcvebase.
CVE-2025-31130
published 2025-04-04

CVE-2025-31130: gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it…

PriorityP432medium6.8CVSS 3.1
AVNACHPRNUINSCCNIHAN
EPSS
0.22%
12.8th percentile
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.

Affected

16 ranges
VendorProductVersion rangeFixed in
byrongitoxide>= 0 < 0.42.00.42.0
debianrust-gix-features< rust-gix-features 0.39.1-2 (forky)rust-gix-features 0.39.1-2 (forky)
gitoxidelabsgitoxide< 0.42.00.42.0
msrcazl3_ceph_18.2.2-8_on_azure_linux_3.0
msrcazl3_grpc_1.42.0-7_on_azure_linux_3.0
msrcazl3_grpc_1.62.0-2_on_azure_linux_3.0
msrcazl3_rubygem-mini_portile2_2.8.4-1_on_azure_linux_3.0
msrcazl3_tensorflow_2.16.1-9_on_azure_linux_3.0
msrccbl2_c-ares_1.19.1-1_on_cbl_mariner_2.0
msrccbl2_ceph_16.2.10-7_on_cbl_mariner_2.0
msrccbl2_fluent-bit_2.1.10-1_on_cbl_mariner_2.0
msrccbl2_grpc_1.42.0-11_on_cbl_mariner_2.0
msrccbl2_nodejs18_18.17.1-2_on_cbl_mariner_2.0
msrccbl2_nodejs_16.20.1-2_on_cbl_mariner_2.0
msrccbl2_python-gevent_21.1.2-3_on_cbl_mariner_2.0
msrccm1_c-ares_1.19.1-1_on_cbl_mariner_1.0

CVSS provenance

nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
ghsa6.8MEDIUM
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_msrc6.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.