GHSA-x494-mj8g-cj27: gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data

May 5, 2026

Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch.

References

github.com/GitoxideLabs/gitoxide
github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-x494-mj8g-cj27
github.com/advisories/GHSA-x494-mj8g-cj27

Code Behaviors & Features

Detect and mitigate GHSA-x494-mj8g-cj27 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →