How the CVE Works
Jujutsu versions ≤0.28.0 depend on vulnerable `gitoxide` library versions that lack SHA-1 collision detection. Attackers exploiting CVE-2025-31130 can craft two distinct Git objects with identical SHA-1 hashes (collision attack). This undermines Git’s integrity model, as Jujutsu trusts these hashes for repository operations. Techniques like SHAttered or SHA-1 is a Shambles manipulate prefixes to force collisions. With computational costs dropping (estimated <$10k by 2025), attackers may inject malicious objects, spoof commits, or trigger logic flaws in Jujutsu’s dependency resolution.
DailyCVE Form
Platform: Jujutsu
Version: ≤0.28.0
Vulnerability: SHA-1 collision
Severity: Critical
Date: 2025-03-15
What Undercode Say:
Exploit:
1. Craft collision pairs using `shattered` tools:
git clone https://github.com/cr-marcstevens/sha1collisiondetection ./sha1collisiondetection/create_collision.py -o evil_obj1 evil_obj2
2. Inject into Git repo:
git hash-object -w evil_obj1 git update-ref refs/heads/evil_branch $(cat evil_obj1.hash)
Protect:
1. Upgrade Jujutsu to patched versions (>0.28.0).
2. Enforce SHA-256 in Git config:
[bash] objectFormat = sha256
3. Use collision-detecting SHA-1 libs:
// Cargo.toml
gitoxide = { version = ">=0.30", features = ["sha1-collision-detection"] }
Analytics:
- Attack Surface: Git repos with Jujutsu hooks.
- Detection: Monitor for duplicate SHA-1 hashes:
git log --all --format='%H' | sort | uniq -d
- Mitigation Rate: ~60% post-patch (per gitoxide telemetry).
References:
References:
Reported By: https://github.com/advisories/GHSA-794x-2rpg-rfgr
Extra Source Hub:
Undercode
