GHSA-p3hw-mv63-rf9w: gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure
Submodule name validation bypass plus missing validation in production code paths allows path traversal via crafted .gitmodules. Combined with a trust inheritance flaw in Submodule::open(), this enables reading arbitrary git repository configs (including credentials) from traversed paths with full trust (CWE-22, CWE-200).
References
Code Behaviors & Features
Detect and mitigate GHSA-p3hw-mv63-rf9w with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →