gix-lock (=10.0.0), gix-tempfile (=10.0.0) potentially affected by CVE-2024-35186 via gix-fs (=0.7.0)
Details
CVSS v3
8.8
NVD published
2024-05-23 09:15:09
EPSS
0.4% probability · 62.8th percentile — 2026-04-05
Affected versions
Not available in our cache.
Summary
gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.