CVE-2025-31130: gitoxide does not detect SHA-1 collision attacks
(updated )
gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks.
References
- github.com/GitoxideLabs/gitoxide
- github.com/GitoxideLabs/gitoxide/commit/f253f02a6658b3b7612a50d56c71f5ae4da4ca21
- github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6
- github.com/advisories/GHSA-2frx-2596-x5r6
- nvd.nist.gov/vuln/detail/CVE-2025-31130
- rustsec.org/advisories/RUSTSEC-2025-0021.html
Code Behaviors & Features
Detect and mitigate CVE-2025-31130 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →