Byron Gitoxide vulnerabilities

CVE-2025-31130 [MEDIUM] CWE-328 gitoxide does not detect SHA-1 collision attacks gitoxide does not detect SHA-1 collision attacks ### Summary gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. ### Details gitoxide uses the `sha1_smol` or `sha1` crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git

CVE-2024-45405 [MEDIUM] CWE-41 CVE-2024-45405: `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabl

CVE-2024-45305 [LOW] CWE-706 CVE-2024-45305: gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a les

CVE-2024-43785 [LOW] CWE-150 CVE-2024-43785: gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provi gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit message

CVE-2024-40644 [MEDIUM] CWE-345 CVE-2024-40644: gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-p

CVE-2024-35186 [HIGH] CWE-23 CVE-2024-35186: gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creat

CVE-2024-35197 [MEDIUM] CWE-67 CVE-2024-35197: gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy devi gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come

CVE-2024-32884 [MEDIUM] CWE-77 CVE-2024-32884: gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current work