CVE-2025-22620 MEDIUM

CVE-2025-22620: gix-worktree-state nonexclusive checkout sets executable files world-writable

Vendor Gitoxidelabs
Product gitoxide
Weakness CWE-281
Published January 20, 2025
Last update January 21, 2025

CVSS base score

5.0/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.

Key dates

02Disclosure timeline

January 20, 2025 CVE published
January 21, 2025 Record updated