PT-2026-38894 · Crates.Io · Gitoxide+1

Published

2026-05-05

·

Updated

2026-05-05

CVSS v4.0

7.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Summary

attachments: pocs.zip
Submodule names coming from .gitmodules are exposed as unvalidated names and are later reused to derive the submodule git directory as:
<superproject common dir>/modules/<submodule name>
Because the submodule name is joined directly as a filesystem path component, a name such as ../../../escaped-target.git escapes .git/modules after normalization. The current implementation then uses that escaped path in both state() and open().
The updated PoC demonstrates the real sink, not just string construction:
  • state() reports repository exists=true for the traversed path;
  • open() returns a repository whose normalized common dir() matches the attacker-chosen repository outside .git/modules.

Root cause analysis

The relevant flow is:
  1. gix-submodule/src/access.rs exposes unvalidated submodule names from configuration.
  2. gix/src/submodule/mod.rs derives the git directory by doing common dir().join("modules").join(name) with no confinement check.
  3. gix/src/submodule/mod.rs uses that derived path during state resolution and repository opening.
There is no normalization-and-confinement step between “submodule name from configuration” and “filesystem path used for repository existence checks / open.” As a result, traversal segments in the submodule name directly influence which repository path is inspected and opened.

Reproduce steps

Use the attached PoC zip that contains the pocs/ workspace.
  1. Unzip the PoC archive.
  2. Enter pocs/F002.
  3. Run:
cargo run --quiet
  1. Compare the output with pocs/F002/result.txt.
Key outputs are:
  • submodule name=../../../escaped-target.git
  • derived git dir raw=.../.git/modules/../../../escaped-target.git
  • derived git dir normalized=.../artifacts/escaped-target.git
  • escaped target=.../artifacts/escaped-target.git
  • repository exists=true
  • submodule opened=true
  • opened common dir normalized=.../artifacts/escaped-target.git
  • normalized git dir matches target=true
  • opened common dir matches target=true
  • target outside modules root=true
These outputs show that gitoxide is not only constructing a traversable path string. It is actually using the escaped path for repository existence checks and for opening a repository object.

Impact

Confirmed impact:
  • a malicious submodule name can redirect submodule state inspection away from .git/modules/<name> to an attacker-chosen repository path outside .git/modules;
  • Submodule::state() can report repository existence for the wrong repository;
  • Submodule::open() can return a repository object backed by that attacker-chosen path.
This is best described as a path-traversal / repository-confusion issue in submodule repository resolution.
This report does not claim command execution from this behavior alone. The demonstrated impact is repository redirection: callers that enumerate, inspect, or operate on submodules can be steered into using the wrong repository.

Recommended fix

Two complementary fixes are advisable:
  1. do not reuse raw submodule names as filesystem path fragments;
  • either use a validated/sanitized name for filesystem derivation,
  • or derive the storage path from a safe identifier instead of the user-controlled name;
  1. add an explicit confinement check after path derivation;
  • normalize or canonicalize the candidate path,
  • verify that the result stays under <common dir>/modules,
  • reject names that contain traversal segments, path separators, or any representation that can escape the modules root.
In short, submodule names may remain opaque configuration identifiers, but they should not be treated as trusted filesystem subpaths.

Fix

Path traversal

Weakness Enumeration

CWE-22

Related Identifiers

GHSA-FR8X-3VFX-F45H

Affected Products

Gitoxide
Gix