GHSA-6mw6-mj76-grwc: gix-date can create non-utf8 string with `TimeBuf::as_str`

January 5, 2026

The function gix_date::parse::TimeBuf::as_str can create an illegal string containing non-utf8 characters. This violates the safety invariant of TimeBuf and can lead to undefined behavior when consuming the string.

The bug can be prevented by adding str::from_utf8 to the function TimeBuf::write.

References

github.com/GitoxideLabs/gitoxide
github.com/GitoxideLabs/gitoxide/commit/76376ef5e97c63e108db0c9fe2eb096f4bfe70f7
github.com/GitoxideLabs/gitoxide/issues/2305
github.com/GitoxideLabs/gitoxide/pull/2306
github.com/advisories/GHSA-6mw6-mj76-grwc
rustsec.org/advisories/RUSTSEC-2025-0140.html

Code Behaviors & Features

Detect and mitigate GHSA-6mw6-mj76-grwc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →