Lawngnome

**Name of the Vulnerable Software and Affected Versions** gitoxide versions prior to 0.21.1 **Description** A malicious tree can be constructed that, when checked out, allows writing an attacker-controlled symlink into any directory where the user has write access. This occurs because `gix fs::Stack::make relative path current()` caches validated path prefixes. When a previously processed leaf component matches the leading components of the next path, the transition invokes `delegate.push directory()` instead of `delegate.push()`. In `gix worktree::stack::delegate::StackDelegate`, when the state is `State::CreateDirectoryAndAttributesStack`, the `Attributes::push directory()` function only loads attributes and bypasses the `symlink metadata()` check and unlink-on-collision logic found in `StackDelegate::push()`'s invocation of `create leading directory()`. Consequently, the final symlink is created using `std::os::unix::fs::symlink`, which follows symlinks in parent directories. An attacker can exploit this by providing a tree with duplicate symlink and directory entries to write files to sensitive locations, such as `.git/hooks/post-checkout` or `~/.local/bin`, potentially leading to code execution. **Recommendations** Update gitoxide to version 0.21.1.