CVE-2025-31130
published 2025-04-04CVE-2025-31130: gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it…
PriorityP432medium6.8CVSS 3.1
AVNACHPRNUINSCCNIHAN
EPSS
0.22%
12.8th percentile
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| byron | gitoxide | >= 0 < 0.42.0 | 0.42.0 |
| debian | rust-gix-features | < rust-gix-features 0.39.1-2 (forky) | rust-gix-features 0.39.1-2 (forky) |
| gitoxidelabs | gitoxide | < 0.42.0 | 0.42.0 |
| msrc | azl3_ceph_18.2.2-8_on_azure_linux_3.0 | — | — |
| msrc | azl3_grpc_1.42.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_grpc_1.62.0-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-mini_portile2_2.8.4-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_c-ares_1.19.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_ceph_16.2.10-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_fluent-bit_2.1.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_grpc_1.42.0-11_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs18_18.17.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs_16.20.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-gevent_21.1.2-3_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_c-ares_1.19.1-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
ghsa6.8MEDIUM
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_msrc6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jujutsu does not have SHA-1 collision detection
ghsa·2025-04-07·CVSS 6.8
CVE-2025-31130 [MEDIUM] CWE-328 Jujutsu does not have SHA-1 collision detection
Jujutsu does not have SHA-1 collision detection
### Summary
Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.
### Details
This is a result of the underlying [CVE-2025-31130 / GHSA-2frx-2596-x5r6](https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6) vulnerability in the gitoxide library Jujutsu uses to interact with Git repositories; see that advisory for technical details. This separate advisory is being issued due to the downstream impact on users of Jujutsu.
### Impact
An attacker with the ability to mount a collision attack on SHA-1 like the [SHAttered](https://shattered.io/) or [SHA-1 is a Shambles](https://sha-mbles.github.io/) a
OSV
Jujutsu does not have SHA-1 collision detection
osv·2025-04-07·CVSS 6.8
CVE-2025-31130 [MEDIUM] Jujutsu does not have SHA-1 collision detection
Jujutsu does not have SHA-1 collision detection
### Summary
Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.
### Details
This is a result of the underlying [CVE-2025-31130 / GHSA-2frx-2596-x5r6](https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6) vulnerability in the gitoxide library Jujutsu uses to interact with Git repositories; see that advisory for technical details. This separate advisory is being issued due to the downstream impact on users of Jujutsu.
### Impact
An attacker with the ability to mount a collision attack on SHA-1 like the [SHAttered](https://shattered.io/) or [SHA-1 is a Shambles](https://sha-mbles.github.io/) a
OSV
CVE-2025-31130: gitoxide is an implementation of git written in Rust
osv·2025-04-04·CVSS 6.8
CVE-2025-31130 [MEDIUM] CVE-2025-31130: gitoxide is an implementation of git written in Rust
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.
GHSA
gitoxide does not detect SHA-1 collision attacks
ghsa·2025-04-04
CVE-2025-31130 [MEDIUM] CWE-328 gitoxide does not detect SHA-1 collision attacks
gitoxide does not detect SHA-1 collision attacks
### Summary
gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks.
### Details
gitoxide uses the `sha1_smol` or `sha1` crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide.
The SHA-1 function is considered cryptographically insecure. However, in the wake of the SHAttered attacks, this issue was mitigated in Git 2.13.0 in 2017 by using the [sha1collisiondetection](https://github.com/crmarcstevens/sha1collisiondetection) algorithm by default and producing an error when known SHA-1 collision
OSV
gitoxide does not detect SHA-1 collision attacks
osv·2025-04-04
CVE-2025-31130 [MEDIUM] gitoxide does not detect SHA-1 collision attacks
gitoxide does not detect SHA-1 collision attacks
### Summary
gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks.
### Details
gitoxide uses the `sha1_smol` or `sha1` crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide.
The SHA-1 function is considered cryptographically insecure. However, in the wake of the SHAttered attacks, this issue was mitigated in Git 2.13.0 in 2017 by using the [sha1collisiondetection](https://github.com/crmarcstevens/sha1collisiondetection) algorithm by default and producing an error when known SHA-1 collision
OSV
SHA-1 collision attacks are not detected
osv·2025-04-03
CVE-2025-31130 SHA-1 collision attacks are not detected
SHA-1 collision attacks are not detected
### Summary
gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks.
### Details
gitoxide uses the `sha1_smol` or `sha1` crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide.
The SHA-1 function is considered cryptographically insecure. However, in the wake of the SHAttered attacks, this issue was mitigated in Git 2.13.0 in 2017 by using the [sha1collisiondetection](https://github.com/crmarcstevens/sha1collisiondetection) algorithm by default and producing an error when known SHA-1 collisions are de
Debian
CVE-2025-31130: rust-gix-features - gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide us...
vendor_debian·2025·CVSS 6.8
CVE-2025-31130 [MEDIUM] CVE-2025-31130: rust-gix-features - gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide us...
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.
Scope: local
forky: resolved (fixed in 0.39.1-2)
sid: resolved (fixed in 0.39.1-2)
trixie: resolved (fixed in 0.39.1-2)
Microsoft
Buffer Underwrite in ares_inet_net_pton()
vendor_msrc·2023-05-09·CVSS 6.4
CVE-2023-31130 [MEDIUM] CWE-787 Buffer Underwrite in ares_inet_net_pton()
Buffer Underwrite in ares_inet_net_pton()
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microso
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-04
Published