Listen to this Post
How the CVE works:
The curl-based HTTP transport in gix-transport fails to validate redirect targets before attaching credentials. When a server returns a 302 redirect during the initial GET /info/refs, gitoxide records the redirected base URL and rewrites all subsequent requests (e.g., POST /git-upload-pack) to the attacker’s host. The `add_basic_auth_if_present()` function only checks `self.url` (the original, never-updated URL) to decide whether to add credentials. Since `self.url` still points to the legitimate host, credentials are approved and attached to the rewritten request. The `Authorization` header is sent to the attacker-controlled server. Curl’s default cross-domain header stripping only protects the redirected GET, not the subsequent POST. Additionally, an HTTPS-to-HTTP redirect bypasses the cleartext protection because the check only validates the original URL’s scheme. The reqwest backend is not affected due to a custom redirect policy that blocks cross-domain redirects. The attack requires only that a victim clones or fetches from a malicious or compromised server that issues a redirect.
dailycve form:
Platform: gitoxide (curl)
Version: 0.55.0
Vulnerability: Credential leak redirect
Severity: Medium
date: 2025-01-15
Prediction: 2025-02-01
What Undercode Say:
Check for vulnerable gitoxide version gix --version | grep "0.55.0" Simulate vulnerable redirect flow curl -v -L --user victim:token http://legit:8080/repo.git/info/refs Monitor Authorization header in POST after redirect tcpdump -i lo -A -s 0 'tcp port 9090 and (POST or Authorization)'
Exploit:
Start attacker server (port 9090) and legitimate redirector (port 8080). Victim runs `git clone http://127.0.0.1:8080/repo.git` with credentials. GET /info/refs receives 302 to attacker. Attacker responds with valid refs. POST /git-upload-pack is rewritten to attacker, and Authorization header (Basic base64(token)) is sent. Attacker logs the leaked credentials.
Protection from this CVE:
Upgrade to fixed version (patch validates effective URL host and scheme). Do not use curl backend; switch to reqwest backend. Enforce strict redirect policies via configuration. Block cross-origin redirects in HTTP client. Monitor for unexpected 302 responses in CI/CD.
Impact:
Any user cloning/fetching over HTTP(S) with gitoxide curl backend loses credentials to attacker-controlled server via redirect. CI/CD tokens exposed. HTTPS-to-HTTP downgrade sends credentials in cleartext. No user interaction beyond initiating clone/fetch.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
