Skip to main content

Repomix EUVDEUVD-2026-42273

| CVE-2026-59703 HIGH
Files or Directories Accessible to External Parties (CWE-552)
2026-07-08 disclosure@vulncheck.com GHSA-8wvr-gq96-hf34
8.7
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable endpoint (AV:N/PR:N/UI:N) with straightforward file:// bypass (AC:L); high confidentiality disclosure only, no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 16:01 EUVD
Analysis Generated
Jul 08, 2026 - 15:41 vuln.today

DescriptionCVE.org

repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/core/git/gitRemoteParse.ts fails to block file:// URLs, permitting attackers to supply file:// scheme URLs that bypass validation and are passed directly to git clone, enabling unauthorized access to all tracked file contents on the server filesystem.

AnalysisAI

Local file inclusion in Repomix's git clone HTTP endpoint lets unauthenticated remote attackers read arbitrary tracked file contents from git repositories on the server's filesystem. The isValidRemoteValue validation in src/core/git/gitRemoteParse.ts does not reject file:// scheme URLs, so a supplied file:///path/to/repo value is passed directly to git clone. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed Repomix clone endpoint
Delivery
Submit file:// scheme repo URL
Exploit
Bypass isValidRemoteValue scheme check
Execution
git clones local repository
Persist
Packed tracked files returned
Impact
Disclose server-side file contents

Vulnerability AssessmentAI

Exploitation Requires that the Repomix server/API mode exposing the git clone endpoint is deployed and network-reachable by the attacker (AV:N/PR:N/UI:N - no authentication or user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H) indicates a network-reachable, low-complexity, unauthenticated attack with high confidentiality impact and no integrity or availability impact, scoring 8.7 (High) - consistent with an information-disclosure primitive rather than code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an exposed Repomix git clone endpoint submits a repository value of file:///home/user/private-repo (or a similar server-local path) as the remote to clone. Repomix's validation fails to block the file:// scheme, git clones the local repository, and the attacker receives the packed contents of all git-tracked files from that path. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the fix is commit c748b524f41225e7fc6f89ad0084520901a453cf (https://github.com/CrazyForks/repomix/commit/c748b524f41225e7fc6f89ad0084520901a453cf), which should be tracked to a tagged Repomix release and upgraded to once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Disable or restrict network access to Repomix git clone HTTP endpoint; review access logs for suspicious clone requests using file:// schemes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42273 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy