Skip to main content

GitForge.jl CVE-2025-52569

| EUVDEUVD-2025-19117 MEDIUM
Improper Input Validation (CWE-20)
2025-06-25 security-advisories@github.com
6.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.9.1
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19117
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
CVE Published
Jun 25, 2025 - 17:15 nvd
MEDIUM 6.6

DescriptionGitHub Advisory

GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 5.9.1 lack input validation of input validation for user-provided values in certain functions. In the GitHub.repo() function, the user can provide any string for the repo_name field. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like ../ in the input to access any other endpoints on api.github.com that were not intended. Users should upgrade immediately to v5.9.1 or later to receive a patch. All prior versions are vulnerable. No known workarounds are available.

Analysis

GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 5.9.1 lack input validation of input validation for user-provided values in certain functions. In the GitHub.repo() function, the user can provide any string for the repo_name field. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like ../ in the input to access any other endpoints on api.github.com that were not intended. Users should upgrade immediately to v5.9.1 or later to receive a patch. All prior versions are vulnerable. No known workarounds are available.

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'. This vulnerability is classified as Improper Input Validation (CWE-20).

RemediationAI

Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

Share

CVE-2025-52569 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy