CVE-2025-22620

Name of the Vulnerable Software and Affected Versions gitoxide versions prior to 0.17.0

Description The issue arises from the gix-worktree-state specifying 0777 permissions when checking out executable files. This is intended to be restricted by the umask, but one of the strategies used to set permissions is not subject to the umask, causing files in a repository to be world-writable in some situations. This problem affects Unix-like systems but not Windows and can lead to security issues on multi-user systems or when accounts are used to run software with reduced abilities.

Recommendations For versions prior to 0.17.0, update to version 0.17.0 or later to resolve the issue. As a temporary workaround, consider setting destination is initially empty to true when using gix::worktree::state::checkout to avoid the vulnerable strategy. However, the most effective solution is to update to a version where this vulnerability is fixed.