GHSA-F89H-2FJH-2R9Q

Vulnerability from github – Published: 2026-05-07 00:01 – Updated: 2026-05-14 20:43
VLAI?
Summary
gix-fs: Symlink prefix-reuse allows worktree escape during checkout
Details

Summary

A malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to.

Details

During checkout, all symlink index entries are deferred and created after regular files using a single shared gix_worktree::Stack. Internally, this uses a gix_fs::Stack.

gix_fs::Stack::make_relative_path_current() caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at gix-fs/src/stack.rs:195-197 invokes only delegate.push_directory(), never delegate.push().

In gix_worktree::stack::delegate::StackDelegate, when the state member is State::CreateDirectoryAndAttributesStack, Attributes::push_directory() only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disk symlink_metadata() check and unlink-on-collision live in StackDelegate::push()'s invocation of create_leading_directory(), which is therefore bypassed for the cached prefix. The final symlink is created with plain std::os::unix::fs::symlink, which follows symlinks in parent directories.

Therefore, it's possible to provide a tree with duplicate symlink and directory entries that exploits this. If a tree is constructed with:

  1. A 120000 (symlink) entry a that points to .git/hooks.
  2. A 040000 (directory) entry a with a subtree that contains a symlink from post-checkout to ../../payload.
  3. A 100755 (executable file) entry payload.

This is converted by gix_index::State::from_tree() into index entries ["a" (SYMLINK), "a/post-checkout" (SYMLINK)].

Then, during the delayed symlink phase:

  1. a is created as a symlink to e.g. .git/hooks.
  2. When processing a/post-checkout, the a prefix is reused from the just-processed leaf entry without re-running the intermediate-directory check, after which…
  3. symlink(target, "<wt>/a/post-checkout") resolves through the just-created symlink to write .git/hooks/post-checkout.

Although this example uses .git/hooks for simplicity, there's no actual requirement to write within the repo checkout. This can be fairly easily chained into code execution by writing to something that is known to be executed — for example, by writing to .git/hooks/post-checkout if the attacker knows that a hook-aware Git implementation will be used later, or by writing to something like ~/.local/bin.

PoC

Attached is build-bad-repo.sh, which builds a repo with the aforementioned tree structure. Cloning it with gix will set up the malicious .git/hooks/post-checkout, at which point anything that normally invokes the post-checkout hook will result in its execution, such as git checkout -b new-branch.

Impact

Arbitrary symlink creation into any existing directory the user can write to.

Disclosure

This vulnerability was found by AI (specifically, Claude Mythos) as part of Project Glasswing. This advisory was written and verified by a human.

Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.21.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-fs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T00:01:28Z",
    "nvd_published_at": "2026-05-13T22:16:46Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to.\n\n### Details\n\nDuring checkout, all symlink index entries are deferred and created after regular files using a single shared `gix_worktree::Stack`. Internally, this uses a `gix_fs::Stack`.\n\n`gix_fs::Stack::make_relative_path_current()` caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at `gix-fs/src/stack.rs:195-197` invokes only `delegate.push_directory()`, never `delegate.push()`.\n\nIn `gix_worktree::stack::delegate::StackDelegate`, when the state member is `State::CreateDirectoryAndAttributesStack`, `Attributes::push_directory()` only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disk `symlink_metadata()` check and unlink-on-collision live in `StackDelegate::push()`\u0027s invocation of `create_leading_directory()`, which is therefore bypassed for the cached prefix. The final symlink is created with plain `std::os::unix::fs::symlink`, which follows symlinks in parent directories.\n\nTherefore, it\u0027s possible to provide a tree with duplicate symlink and directory entries that exploits this. If a tree is constructed with:\n\n1. A `120000` (symlink) entry `a` that points to `.git/hooks`.\n2. A `040000` (directory) entry `a` with a subtree that contains a symlink from `post-checkout` to `../../payload`.\n3. A `100755` (executable file) entry `payload`.\n\nThis is converted by `gix_index::State::from_tree()` into index entries `[\"a\" (SYMLINK), \"a/post-checkout\" (SYMLINK)]`.\n\nThen, during the delayed symlink phase:\n\n1. `a` is created as a symlink to e.g. `.git/hooks`.\n2. When processing `a/post-checkout`, the `a` prefix is reused from the just-processed leaf entry without re-running the intermediate-directory check, after which\u2026\n3. `symlink(target, \"\u003cwt\u003e/a/post-checkout\")` resolves through the just-created symlink to write `.git/hooks/post-checkout`.\n\nAlthough this example uses `.git/hooks` for simplicity, there\u0027s no actual requirement to write within the repo checkout. This can be fairly easily chained into code execution by writing to something that is known to be executed \u2014 for example, by writing to `.git/hooks/post-checkout` if the attacker knows that a hook-aware Git implementation will be used later, or by writing to something like `~/.local/bin`.\n\n### PoC\n\nAttached is [build-bad-repo.sh](https://github.com/user-attachments/files/27223800/build-bad-repo.sh), which builds a repo with the aforementioned tree structure. Cloning it with `gix` will set up the malicious `.git/hooks/post-checkout`, at which point anything that normally invokes the `post-checkout` hook will result in its execution, such as `git checkout -b new-branch`.\n\n### Impact\n\nArbitrary symlink creation into any existing directory the user can write to.\n\n### Disclosure\n\nThis vulnerability was found by AI (specifically, Claude Mythos) as part of [Project Glasswing](https://www.anthropic.com/glasswing). This advisory was written and verified by a human.",
  "id": "GHSA-f89h-2fjh-2r9q",
  "modified": "2026-05-14T20:43:45Z",
  "published": "2026-05-07T00:01:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f89h-2fjh-2r9q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44471"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GitoxideLabs/gitoxide"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "gix-fs: Symlink prefix-reuse allows worktree escape during checkout"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.