CVE-2024-35197
📋 TL;DR
This vulnerability in gitoxide on Windows allows malicious repositories to cause denial-of-service or write arbitrary data to system devices when cloning repositories with refs or paths that match legacy Windows device names (like CON, PRN, AUX). Only Windows users cloning untrusted repositories are affected.
💻 Affected Systems
- gitoxide
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary data written to system devices causing system instability, indefinite blocking of processes, or production of misleading messages appearing to come from the application.
Likely Case
Denial-of-service through indefinite blocking when accessing device-named files, or application hanging during repository operations.
If Mitigated
No impact if not using Windows, or if only cloning trusted repositories.
🎯 Exploit Status
Exploitation is straightforward - create a repository with refs/paths matching Windows device names. Public advisory includes details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.36.0 and later
Vendor Advisory: https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9
Restart Required: No
Instructions:
1. Update gitoxide to version 0.36.0 or later using cargo update -p gitoxide 2. Rebuild any applications using gitoxide as a dependency
🔧 Temporary Workarounds
Avoid untrusted repositories
windowsOnly clone repositories from trusted sources on Windows systems
Use alternative Git client
windowsTemporarily use official Git client or other trusted Git implementation
🧯 If You Can't Patch
- Restrict gitoxide usage to trusted repositories only
- Implement repository source validation before cloning operations
🔍 How to Verify
Check if Vulnerable:
Check gitoxide version with cargo tree | grep gitoxide or check Cargo.lock for gitoxide version < 0.36.0Check Version:
cargo tree | grep gitoxideVerify Fix Applied:
Confirm gitoxide version is 0.36.0 or higher with cargo tree | grep gitoxide📡 Detection & Monitoring
Log Indicators:
- Failed clone operations on Windows
- Application hangs during git operations
- Unexpected device access errors
Network Indicators:
- Cloning from unfamiliar or untrusted repository sources
SIEM Query:
process.name:"gitoxide" AND (event.action:"clone" OR event.action:"fetch") AND os.platform:"windows"