CVE-2026-44471

Name of the Vulnerable Software and Affected Versions gitoxide versions prior to 0.21.1

Description A malicious tree can be constructed that, when checked out, allows writing an attacker-controlled symlink into any directory where the user has write access. This occurs because gix fs::Stack::make relative path current() caches validated path prefixes. When a previously processed leaf component matches the leading components of the next path, the transition invokes delegate.push directory() instead of delegate.push(). In gix worktree::stack::delegate::StackDelegate, when the state is State::CreateDirectoryAndAttributesStack, the Attributes::push directory() function only loads attributes and bypasses the symlink metadata() check and unlink-on-collision logic found in StackDelegate::push()'s invocation of create leading directory(). Consequently, the final symlink is created using std::os::unix::fs::symlink, which follows symlinks in parent directories. An attacker can exploit this by providing a tree with duplicate symlink and directory entries to write files to sensitive locations, such as .git/hooks/post-checkout or ~/.local/bin, potentially leading to code execution.

Recommendations Update gitoxide to version 0.21.1.