CVE-2025-31130

gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/GitoxideLabs/gitoxide/commit/4660f7a6f71873311f68f170b0f1f6659a02829d
https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6
https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6

Configurations

No configuration.

History

07 Apr 2025, 14:18

Type	Values Removed	Values Added
Summary		(es) Gitoxide es una implementación de Git escrita en Rust. Antes de la versión 0.42.0, Gitoxide utilizaba implementaciones de hash SHA-1 sin detección de colisiones, lo que lo hacía vulnerable a ataques de colisión de hash. Gitoxide utiliza la caja sha1_smol o sha1, que implementan SHA-1 estándar sin mitigaciones para ataques de colisión. Esto significa que dos objetos Git distintos con hashes SHA-1 en colisión interrumpirían el modelo de objetos Git y las comprobaciones de integridad al usarse con Gitoxide. Esta vulnerabilidad se corrigió en la versión 0.42.0.

04 Apr 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-04 15:15

Updated : 2025-04-07 14:18

NVD link : CVE-2025-31130

Mitre link : CVE-2025-31130

CVE.ORG link : CVE-2025-31130

JSON object : View

Products Affected

No product.

CWE

CWE-328

Use of Weak Hash

{"id": "CVE-2025-31130", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.2}]}, "published": "2025-04-04T15:15:48.320", "references": [{"url": "https://github.com/GitoxideLabs/gitoxide/commit/4660f7a6f71873311f68f170b0f1f6659a02829d", "source": "security-advisories@github.com"}, {"url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6", "source": "security-advisories@github.com"}, {"url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-328"}]}], "descriptions": [{"lang": "en", "value": "gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0."}, {"lang": "es", "value": "Gitoxide es una implementaci\u00f3n de Git escrita en Rust. Antes de la versi\u00f3n 0.42.0, Gitoxide utilizaba implementaciones de hash SHA-1 sin detecci\u00f3n de colisiones, lo que lo hac\u00eda vulnerable a ataques de colisi\u00f3n de hash. Gitoxide utiliza la caja sha1_smol o sha1, que implementan SHA-1 est\u00e1ndar sin mitigaciones para ataques de colisi\u00f3n. Esto significa que dos objetos Git distintos con hashes SHA-1 en colisi\u00f3n interrumpir\u00edan el modelo de objetos Git y las comprobaciones de integridad al usarse con Gitoxide. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.42.0."}], "lastModified": "2025-04-07T14:18:15.560", "sourceIdentifier": "security-advisories@github.com"}