GHSA-794x-2rpg-rfgr: Jujutsu does not have SHA-1 collision detection

April 7, 2025

Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.

References

github.com/advisories/GHSA-794x-2rpg-rfgr
github.com/jj-vcs/jj
github.com/jj-vcs/jj/commit/350da7d013773377aec0d3a4bf4374d3c941460e
github.com/jj-vcs/jj/security/advisories/GHSA-794x-2rpg-rfgr

Code Behaviors & Features

Detect and mitigate GHSA-794x-2rpg-rfgr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →