CVE-2025-31130

Published: Apr 4, 2025

Modified: Jan 23, 2026

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.

Vendor	Product	Versions
GitoxideLabs	gitoxide	affected `< 0.42.0`

Weaknesses (CWE)

CWE-328

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6

x_refsource_CONFIRM

https://github.com/GitoxideLabs/gitoxide/commit/f253f02a6658b3b7612a50d56c71f5ae4da4ca21

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-31130

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References