CVE-2025-50178 MEDIUM

CVE-2025-50178: GitForge.jl lacks validation for user provided fields

Vendor Juliaweb

Product GitForge.jl

Weakness CWE-20 · Input validation

Published June 25, 2025

Last update June 25, 2025

View on NVD All CVEs

CVSS base score

6.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 0.4.3 lack input validation for user provided values in certain functions. In the `GitForge.get_repo` function for GitHub, the user can provide any string for the owner and repo fields. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like `../` in the input to access any other endpoints on api.github.com that were not intended. Version 0.4.3 contains a patch for the issue. No known workarounds are available.

Key dates

02Disclosure timeline

June 25, 2025 CVE published

June 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-50178 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2025-50178: GitForge.jl lacks validation for user provided fields

01Description

02Disclosure timeline

03References

04Related CVE