CVE-2025-31130: gitoxide does not detect SHA-1 collision attacks
gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks.
References
- github.com/GitoxideLabs/gitoxide
- github.com/GitoxideLabs/gitoxide/commit/4660f7a6f71873311f68f170b0f1f6659a02829d
- github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6
- github.com/advisories/GHSA-2frx-2596-x5r6
- nvd.nist.gov/vuln/detail/CVE-2025-31130
- rustsec.org/advisories/RUSTSEC-2025-0021.html
Code Behaviors & Features
Detect and mitigate CVE-2025-31130 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →