GHSA-FR8X-3VFX-F45H

Vulnerability from github – Published: 2026-05-05 19:27 – Updated: 2026-05-05 19:27
VLAI
Summary
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository
Details

Summary

attachments: pocs.zip

Submodule names coming from .gitmodules are exposed as unvalidated names and are later reused to derive the submodule git directory as:

<superproject common_dir>/modules/<submodule name>

Because the submodule name is joined directly as a filesystem path component, a name such as ../../../escaped-target.git escapes .git/modules after normalization. The current implementation then uses that escaped path in both state() and open().

The updated PoC demonstrates the real sink, not just string construction:

  • state() reports repository_exists=true for the traversed path;
  • open() returns a repository whose normalized common_dir() matches the attacker-chosen repository outside .git/modules.

Root cause analysis

The relevant flow is:

  1. gix-submodule/src/access.rs exposes unvalidated submodule names from configuration.
  2. gix/src/submodule/mod.rs derives the git directory by doing common_dir().join("modules").join(name) with no confinement check.
  3. gix/src/submodule/mod.rs uses that derived path during state resolution and repository opening.

There is no normalization-and-confinement step between “submodule name from configuration” and “filesystem path used for repository existence checks / open.” As a result, traversal segments in the submodule name directly influence which repository path is inspected and opened.

Reproduce steps

Use the attached PoC zip that contains the pocs/ workspace.

  1. Unzip the PoC archive.
  2. Enter pocs/F002.

  3. Run:

    cargo run --quiet

  4. Compare the output with pocs/F002/result.txt.

Key outputs are:

  • submodule_name=../../../escaped-target.git
  • derived_git_dir_raw=.../.git/modules/../../../escaped-target.git
  • derived_git_dir_normalized=.../artifacts/escaped-target.git
  • escaped_target=.../artifacts/escaped-target.git
  • repository_exists=true
  • submodule_opened=true
  • opened_common_dir_normalized=.../artifacts/escaped-target.git
  • normalized_git_dir_matches_target=true
  • opened_common_dir_matches_target=true
  • target_outside_modules_root=true

These outputs show that gitoxide is not only constructing a traversable path string. It is actually using the escaped path for repository existence checks and for opening a repository object.

Impact

Confirmed impact:

  • a malicious submodule name can redirect submodule state inspection away from .git/modules/<name> to an attacker-chosen repository path outside .git/modules;
  • Submodule::state() can report repository existence for the wrong repository;
  • Submodule::open() can return a repository object backed by that attacker-chosen path.

This is best described as a path-traversal / repository-confusion issue in submodule repository resolution.

This report does not claim command execution from this behavior alone. The demonstrated impact is repository redirection: callers that enumerate, inspect, or operate on submodules can be steered into using the wrong repository.

Recommended fix

Two complementary fixes are advisable:

  1. do not reuse raw submodule names as filesystem path fragments;
    • either use a validated/sanitized name for filesystem derivation,
    • or derive the storage path from a safe identifier instead of the user-controlled name;
  2. add an explicit confinement check after path derivation;
    • normalize or canonicalize the candidate path,
    • verify that the result stays under <common_dir>/modules,
    • reject names that contain traversal segments, path separators, or any representation that can escape the modules root.

In short, submodule names may remain opaque configuration identifiers, but they should not be treated as trusted filesystem subpaths.

Severity
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.52.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "gitoxide"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.52.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.83.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T19:27:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## **Summary**\nattachments:\n[pocs.zip](https://github.com/user-attachments/files/26431422/pocs.zip)\n\nSubmodule names coming from `.gitmodules` are exposed as unvalidated names and are later reused to derive the submodule git directory as:\n\n```\n\u003csuperproject common_dir\u003e/modules/\u003csubmodule name\u003e\n```\n\nBecause the submodule name is joined directly as a filesystem path component, a name such as `../../../escaped-target.git` escapes `.git/modules` after normalization. The current implementation then uses that escaped path in both `state()` and `open()`.\n\nThe updated PoC demonstrates the real sink, not just string construction:\n\n- `state()` reports `repository_exists=true` for the traversed path;\n- `open()` returns a repository whose normalized `common_dir()` matches the attacker-chosen repository outside `.git/modules`.\n\n## **Root cause analysis**\n\nThe relevant flow is:\n\n1. [`gix-submodule/src/access.rs`](https://github.com/GitoxideLabs/gitoxide/blob/v0.52.0/gix-submodule/src/access.rs) exposes unvalidated submodule names from configuration.\n2. [`gix/src/submodule/mod.rs`](https://github.com/GitoxideLabs/gitoxide/blob/v0.52.0/gix/src/submodule/mod.rs) derives the git directory by doing `common_dir().join(\"modules\").join(name)` with no confinement check.\n3. [`gix/src/submodule/mod.rs`](https://github.com/GitoxideLabs/gitoxide/blob/v0.52.0/gix/src/submodule/mod.rs) uses that derived path during state resolution and repository opening.\n\nThere is no normalization-and-confinement step between \u201csubmodule name from configuration\u201d and \u201cfilesystem path used for repository existence checks / open.\u201d As a result, traversal segments in the submodule name directly influence which repository path is inspected and opened.\n\n## **Reproduce steps**\n\nUse the attached PoC zip that contains the `pocs/` workspace.\n\n1. Unzip the PoC archive.\n2. Enter `pocs/F002`.\n3. Run:\n    \n    ```\n    cargo run --quiet\n    ```\n    \n4. Compare the output with `pocs/F002/result.txt`.\n\nKey outputs are:\n\n- `submodule_name=../../../escaped-target.git`\n- `derived_git_dir_raw=.../.git/modules/../../../escaped-target.git`\n- `derived_git_dir_normalized=.../artifacts/escaped-target.git`\n- `escaped_target=.../artifacts/escaped-target.git`\n- `repository_exists=true`\n- `submodule_opened=true`\n- `opened_common_dir_normalized=.../artifacts/escaped-target.git`\n- `normalized_git_dir_matches_target=true`\n- `opened_common_dir_matches_target=true`\n- `target_outside_modules_root=true`\n\nThese outputs show that gitoxide is not only constructing a traversable path string. It is actually using the escaped path for repository existence checks and for opening a repository object.\n\n## **Impact**\n\nConfirmed impact:\n\n- a malicious submodule name can redirect submodule state inspection away from `.git/modules/\u003cname\u003e` to an attacker-chosen repository path outside `.git/modules`;\n- `Submodule::state()` can report repository existence for the wrong repository;\n- `Submodule::open()` can return a repository object backed by that attacker-chosen path.\n\nThis is best described as a path-traversal / repository-confusion issue in submodule repository resolution.\n\nThis report does **not** claim command execution from this behavior alone. The demonstrated impact is repository redirection: callers that enumerate, inspect, or operate on submodules can be steered into using the wrong repository.\n\n## **Recommended fix**\n\nTwo complementary fixes are advisable:\n\n1. do not reuse raw submodule names as filesystem path fragments;\n    - either use a validated/sanitized name for filesystem derivation,\n    - or derive the storage path from a safe identifier instead of the user-controlled name;\n2. add an explicit confinement check after path derivation;\n    - normalize or canonicalize the candidate path,\n    - verify that the result stays under `\u003ccommon_dir\u003e/modules`,\n    - reject names that contain traversal segments, path separators, or any representation that can escape the modules root.\n\nIn short, submodule names may remain opaque configuration identifiers, but they should not be treated as trusted filesystem subpaths.",
  "id": "GHSA-fr8x-3vfx-f45h",
  "modified": "2026-05-05T19:27:51Z",
  "published": "2026-05-05T19:27:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-fr8x-3vfx-f45h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GitoxideLabs/gitoxide"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.