CVE-2024-43785: gitoxide-core does not neutralize special characters for terminals

August 22, 2024 (updated January 21, 2025)

The gix and ein commands write pathnames and other metadata literally to terminals, even if they contain characters terminals treat specially, including ANSI escape sequences. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages.

References

github.com/Byron/gitoxide
github.com/Byron/gitoxide/security/advisories/GHSA-88g2-r9rw-g55h
github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-88g2-r9rw-g55h
github.com/advisories/GHSA-88g2-r9rw-g55h
nvd.nist.gov/vuln/detail/CVE-2024-43785
rustsec.org/advisories/RUSTSEC-2024-0364.html

Code Behaviors & Features

Detect and mitigate CVE-2024-43785 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →