PT-2025-26838 · Unknown · Gitforge.Jl
Splitline
·
Published
2025-06-25
·
Updated
2025-10-08
·
CVE-2025-50178
CVSS v4.0
6.6
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
GitForge.jl versions prior to 0.4.3
Description:
The issue is related to a lack of input validation for user-provided values in certain functions. Specifically, in the
GitForge.get repo function for GitHub, the owner and repo fields can be manipulated by a user to access unintended endpoints on api.github.com by adding path traversal patterns like ../. This is possible because the inputs are not validated or safely encoded before being sent to the server.Recommendations:
For versions prior to 0.4.3, update to version 0.4.3 to resolve the issue. As a temporary workaround, consider validating and safely encoding user-provided inputs for the
owner and repo fields in the GitForge.get repo function to prevent path traversal attacks.Exploit
Fix
Path traversal
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gitforge.Jl