Skip to main content

Gitoxide

1 CVEs product

Monthly

CVE-2026-40034 Cargo HIGH POC PATCH GHSA This Week

Command injection in the gitoxide Rust library (gix-submodule crate before 0.82.0, gix before 0.83.0) allows attackers controlling a repository's .gitmodules file to bypass the CommandForbiddenInModulesConfiguration guard and achieve arbitrary command execution when Submodule::update() runs against a previously-initialized submodule. The flaw stems from gix_submodule::File::update() checking only whether a same-named section exists in .git/config rather than verifying that the update value itself originated from that trusted source, so an attacker-supplied 'update = !cmd' falls through to execution. Publicly available exploit code exists (PoC referenced by VulnCheck and Anthropic), though EPSS is low (0.02%) and the issue is not in CISA KEV.

RCE Command Injection Gitoxide
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
EPSS 0% CVSS 8.5
HIGH POC PATCH This Week

Command injection in the gitoxide Rust library (gix-submodule crate before 0.82.0, gix before 0.83.0) allows attackers controlling a repository's .gitmodules file to bypass the CommandForbiddenInModulesConfiguration guard and achieve arbitrary command execution when Submodule::update() runs against a previously-initialized submodule. The flaw stems from gix_submodule::File::update() checking only whether a same-named section exists in .git/config rather than verifying that the update value itself originated from that trusted source, so an attacker-supplied 'update = !cmd' falls through to execution. Publicly available exploit code exists (PoC referenced by VulnCheck and Anthropic), though EPSS is low (0.02%) and the issue is not in CISA KEV.

RCE Command Injection Gitoxide
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy