CVE-2025-31130 — Use of Weak Hash in Gitoxide

CWE-328 — Use of Weak Hash CWE-787 — Out-of-bounds Write9 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.1%

top 82.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitoxidelabs Gitoxide Byron Gitoxide Debian Rust-gix-features +13 more

Timeline

PublishedApr 4

Latest updateApr 7

Description

gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 2.2 | Impact: 4.0

Affected Packages16 packages

▶crates.iobyron/gitoxide< 0.42.0

▶CVEListV5gitoxidelabs/gitoxide< 0.42.0

▶debiandebian/rust-gix-features< rust-gix-features 0.39.1-2 (forky)

▶msrcmsrc/azl3_ceph_18.2.2-8_on_azure_linux_3.0

▶msrcmsrc/azl3_grpc_1.42.0-7_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

Jujutsu does not have SHA-1 collision detection↗2025-04-07

▶

OSV

Jujutsu does not have SHA-1 collision detection↗2025-04-07

▶

OSV

CVE-2025-31130: gitoxide is an implementation of git written in Rust↗2025-04-04

▶

GHSA

gitoxide does not detect SHA-1 collision attacks↗2025-04-04

▶

OSV

gitoxide does not detect SHA-1 collision attacks↗2025-04-04

▶

📋Vendor Advisories

Debian

CVE-2025-31130: rust-gix-features - gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide us...↗2025

▶

Microsoft

Buffer Underwrite in ares_inet_net_pton()↗2023-05-09

▶