CVE-2025-22620

MEDIUM

gix-worktree-state < 0.17.0 - Improper Preservation of Permissions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-22620. PoCs published by EliahKagan.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2025-22620, demonstrating a vulnerability in `gix-worktree-state` versions prior to 0.17.0. The PoC reproduces the issue by performing a checkout operation in a Git repository, highlighting the vulnerable behavior.

Description

gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.

Exploits (1)

nomisec WORKING POC
by EliahKagan · poc
https://github.com/EliahKagan/checkout-index

This repository contains a proof-of-concept for CVE-2025-22620, demonstrating a vulnerability in `gix-worktree-state` versions prior to 0.17.0. The PoC reproduces the issue by performing a checkout operation in a Git repository, highlighting the vulnerable behavior.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: gix-worktree-state < 0.17.0
No auth needed
Prerequisites: Git repository with executable files · Vulnerable version of `gix-worktree-state`
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 5.0
EPSS 0.0068
EPSS Percentile 72.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-281 CWE-687
Status published
Products (2)
crates.io/gix-worktree-state 0 - 0.17.0crates.io
GitoxideLabs/gitoxide < 0.17.0
Published Jan 20, 2025
Tracked Since Feb 18, 2026