PT-2026-38320 · Crates.Io · Gix-Fs
Published
2026-05-07
·
Updated
2026-05-07
·
CVE-2026-44471
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Summary
A malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to.
Details
During checkout, all symlink index entries are deferred and created after regular files using a single shared
gix worktree::Stack. Internally, this uses a gix fs::Stack.gix fs::Stack::make relative path current() caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at gix-fs/src/stack.rs:195-197 invokes only delegate.push directory(), never delegate.push().In
gix worktree::stack::delegate::StackDelegate, when the state member is State::CreateDirectoryAndAttributesStack, Attributes::push directory() only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disk symlink metadata() check and unlink-on-collision live in StackDelegate::push()'s invocation of create leading directory(), which is therefore bypassed for the cached prefix. The final symlink is created with plain std::os::unix::fs::symlink, which follows symlinks in parent directories.Therefore, it's possible to provide a tree with duplicate symlink and directory entries that exploits this. If a tree is constructed with:
- A
120000(symlink) entryathat points to.git/hooks. - A
040000(directory) entryawith a subtree that contains a symlink frompost-checkoutto../../payload. - A
100755(executable file) entrypayload.
This is converted by
gix index::State::from tree() into index entries ["a" (SYMLINK), "a/post-checkout" (SYMLINK)].Then, during the delayed symlink phase:
ais created as a symlink to e.g..git/hooks.- When processing
a/post-checkout, theaprefix is reused from the just-processed leaf entry without re-running the intermediate-directory check, after which… symlink(target, "<wt>/a/post-checkout")resolves through the just-created symlink to write.git/hooks/post-checkout.
Although this example uses
.git/hooks for simplicity, there's no actual requirement to write within the repo checkout. This can be fairly easily chained into code execution by writing to something that is known to be executed — for example, by writing to .git/hooks/post-checkout if the attacker knows that a hook-aware Git implementation will be used later, or by writing to something like ~/.local/bin.PoC
Attached is build-bad-repo.sh, which builds a repo with the aforementioned tree structure. Cloning it with
gix will set up the malicious .git/hooks/post-checkout, at which point anything that normally invokes the post-checkout hook will result in its execution, such as git checkout -b new-branch.Impact
Arbitrary symlink creation into any existing directory the user can write to.
Disclosure
This vulnerability was found by AI (specifically, Claude Mythos) as part of Project Glasswing. This advisory was written and verified by a human.
Fix
Link Following
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gix-Fs