GHSA-f89h-2fjh-2r9q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f89h-2fjh-2r9q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-f89h-2fjh-2r9q/GHSA-f89h-2fjh-2r9q.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-f89h-2fjh-2r9q
- Aliases
-
- CVE-2026-44471
- Related
- Published
- 2026-05-07T00:01:28Z
- Modified
- 2026-05-07T22:14:09.882857629Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- gix-fs: Symlink prefix-reuse allows worktree escape during checkout
- Details
-
Summary
A malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to.
Details
During checkout, all symlink index entries are deferred and created after regular files using a single shared
gix_worktree::Stack. Internally, this uses agix_fs::Stack.gix_fs::Stack::make_relative_path_current()caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition atgix-fs/src/stack.rs:195-197invokes onlydelegate.push_directory(), neverdelegate.push().In
gix_worktree::stack::delegate::StackDelegate, when the state member isState::CreateDirectoryAndAttributesStack,Attributes::push_directory()only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disksymlink_metadata()check and unlink-on-collision live inStackDelegate::push()'s invocation ofcreate_leading_directory(), which is therefore bypassed for the cached prefix. The final symlink is created with plainstd::os::unix::fs::symlink, which follows symlinks in parent directories.Therefore, it's possible to provide a tree with duplicate symlink and directory entries that exploits this. If a tree is constructed with:
- A
120000(symlink) entryathat points to.git/hooks. - A
040000(directory) entryawith a subtree that contains a symlink frompost-checkoutto../../payload. - A
100755(executable file) entrypayload.
This is converted by
gix_index::State::from_tree()into index entries["a" (SYMLINK), "a/post-checkout" (SYMLINK)].Then, during the delayed symlink phase:
ais created as a symlink to e.g..git/hooks.- When processing
a/post-checkout, theaprefix is reused from the just-processed leaf entry without re-running the intermediate-directory check, after which… symlink(target, "<wt>/a/post-checkout")resolves through the just-created symlink to write.git/hooks/post-checkout.
Although this example uses
.git/hooksfor simplicity, there's no actual requirement to write within the repo checkout. This can be fairly easily chained into code execution by writing to something that is known to be executed — for example, by writing to.git/hooks/post-checkoutif the attacker knows that a hook-aware Git implementation will be used later, or by writing to something like~/.local/bin.PoC
Attached is build-bad-repo.sh, which builds a repo with the aforementioned tree structure. Cloning it with
gixwill set up the malicious.git/hooks/post-checkout, at which point anything that normally invokes thepost-checkouthook will result in its execution, such asgit checkout -b new-branch.Impact
Arbitrary symlink creation into any existing directory the user can write to.
Disclosure
This vulnerability was found by AI (specifically, Claude Mythos) as part of Project Glasswing. This advisory was written and verified by a human.
- A
- Database specific
{ "cwe_ids": [ "CWE-59" ], "severity": "HIGH", "github_reviewed_at": "2026-05-07T00:01:28Z", "github_reviewed": true, "nvd_published_at": null }- References
Affected packages
crates.io / gix-fs
Package
- Name
- gix-fs
- View open source insights on deps.dev
- Purl
- pkg:cargo/gix-fs