CVE-2025-31130

Name of the Vulnerable Software and Affected Versions gitoxide versions prior to 0.42.0

Description The issue arises from gitoxide's use of SHA-1 hash implementations without collision detection, making it vulnerable to hash collision attacks. This means two distinct Git objects with colliding SHA-1 hashes could break the Git object model and integrity checks. The SHA-1 function is considered cryptographically insecure, and while Git has mitigated this issue by using the sha1collisiondetection algorithm, gitoxide does not support this mitigation or SHA-256 object hashes. An attacker could create two distinct Git objects with the same hash, potentially disguising malicious repository contents or exploiting assumptions in programs using gitoxide.

Recommendations For versions prior to 0.42.0, update to version 0.42.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of gitoxide for critical operations until the update can be applied.