CVE-2025-31130
Description
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | forky | fixed | 0.39.1-2 |
| debian | sid | fixed | 0.39.1-2 |
| debian | trixie | fixed | 0.39.1-2 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| crates.io | gix-features | | |
| crates.io | gix-features | >=0.0.0-0,<0.41.0 | 0.41.0 |
| crates.io | gix-features | <0.41.0 | 0.41.0 |
| crates.io | gix-commitgraph | <0.27.0 | 0.27.0 |
| crates.io | gix-index | <0.39.0 | 0.39.0 |
| crates.io | gix-object | <0.48.0 | 0.48.0 |
| crates.io | gix-odb | <0.68.0 | 0.68.0 |
| crates.io | gix-pack | <0.58.0 | 0.58.0 |
| crates.io | gitoxide | <0.42.0 | 0.42.0 |
| crates.io | gitoxide-core | <0.46.0 | 0.46.0 |
| crates.io | gix | <0.71.0 | 0.71.0 |
| crates.io | gix-archive | <0.20.0 | 0.20.0 |
| crates.io | gix-blame | <0.1.0 | 0.1.0 |
| crates.io | gix-config | <0.44.0 | 0.44.0 |
| crates.io | gix-diff | <0.51.0 | 0.51.0 |
| crates.io | gix-dir | <0.13.0 | 0.13.0 |
| crates.io | gix-discover | <0.39.0 | 0.39.0 |
| crates.io | gix-filter | <0.18.0 | 0.18.0 |
| crates.io | gix-fsck | <0.10.0 | 0.10.0 |
| crates.io | gix-merge | <0.4.0 | 0.4.0 |
| crates.io | gix-negotiate | <0.19.0 | 0.19.0 |
| crates.io | gix-protocol | <0.49.0 | 0.49.0 |
| crates.io | gix-ref | <0.51.0 | 0.51.0 |
| crates.io | gix-revision | <0.33.0 | 0.33.0 |
| crates.io | gix-revwalk | <0.19.0 | 0.19.0 |
| crates.io | gix-status | <0.18.0 | 0.18.0 |
| crates.io | gix-traverse | <0.45.0 | 0.45.0 |
| crates.io | gix-worktree | <0.40.0 | 0.40.0 |
| crates.io | gix-worktree-state | <0.18.0 | 0.18.0 |
References
- https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6
- https://nvd.nist.gov/vuln/detail/CVE-2025-31130
- https://github.com/GitoxideLabs/gitoxide/commit/f253f02a6658b3b7612a50d56c71f5ae4da4ca21
- https://github.com/GitoxideLabs/gitoxide
- https://rustsec.org/advisories/RUSTSEC-2025-0021.html
- https://crates.io/crates/gix-features
- https://github.com/advisories/GHSA-2frx-2596-x5r6
- https://security-tracker.debian.org/tracker/CVE-2025-31130
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.