CVE-2025-22620

MEDIUM

gitoxide <0.17.0 - Info Disclosure

Title source: llm

Description

gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.

Exploits (1)

nomisec WORKING POC

by EliahKagan · poc

https://github.com/EliahKagan/checkout-index

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-fqmf-w4xh-33rh

Scores

CVSS v3 5.0

EPSS 0.0092

EPSS Percentile 76.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-281 CWE-687

Status published

Products (2)

crates.io/gix-worktree-state 0 - 0.17.0crates.io

GitoxideLabs/gitoxide < 0.17.0

Published Jan 20, 2025

Tracked Since Feb 18, 2026