CVE-2025-50178

GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 0.4.3 lack input validation for user provided values in certain functions. In the `GitForge.get_repo` function for GitHub, the user can provide any string for the owner and repo fields. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like `../` in the input to access any other endpoints on api.github.com that were not intended. Version 0.4.3 contains a patch for the issue. No known workarounds are available.

CVSS

No CVSS.

References

Link	Resource
https://github.com/JuliaWeb/GitForge.jl/pull/50
https://github.com/JuliaWeb/GitForge.jl/security/advisories/GHSA-g2xx-229f-3qjm

Configurations

No configuration.

History

26 Jun 2025, 18:57

Type	Values Removed	Values Added
Summary		(es) GitForge.jl es una interfaz unificada para interactuar con las forjas de Git. Las versiones anteriores a la 0.4.3 carecen de validación de entrada para los valores proporcionados por el usuario en ciertas funciones. En la función `GitForge.get_repo` de GitHub, el usuario puede proporcionar cualquier cadena para los campos "propietario" y "repositorio". Estas entradas no se validan ni codifican de forma segura y se envían directamente al servidor. Esto significa que un usuario puede añadir patrones de path traversal como `../` en la entrada para acceder a cualquier otro endpoint en api.github.com que no estuviera previsto. La versión 0.4.3 incluye un parche para este problema. No se conocen soluciones alternativas.

25 Jun 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-25 16:15

Updated : 2025-06-26 18:57

NVD link : CVE-2025-50178

Mitre link : CVE-2025-50178

CVE.ORG link : CVE-2025-50178

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-50178", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-25T16:15:26.693", "references": [{"url": "https://github.com/JuliaWeb/GitForge.jl/pull/50", "source": "security-advisories@github.com"}, {"url": "https://github.com/JuliaWeb/GitForge.jl/security/advisories/GHSA-g2xx-229f-3qjm", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "GitForge.jl is a unified interface for interacting with Git \"forges.\" Versions prior to 0.4.3 lack input validation for user provided values in certain functions. In the `GitForge.get_repo` function for GitHub, the user can provide any string for the owner and repo fields. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like `../` in the input to access any other endpoints on api.github.com that were not intended. Version 0.4.3 contains a patch for the issue. No known workarounds are available."}, {"lang": "es", "value": "GitForge.jl es una interfaz unificada para interactuar con las forjas de Git. Las versiones anteriores a la 0.4.3 carecen de validaci\u00f3n de entrada para los valores proporcionados por el usuario en ciertas funciones. En la funci\u00f3n `GitForge.get_repo` de GitHub, el usuario puede proporcionar cualquier cadena para los campos \"propietario\" y \"repositorio\". Estas entradas no se validan ni codifican de forma segura y se env\u00edan directamente al servidor. Esto significa que un usuario puede a\u00f1adir patrones de path traversal como `../` en la entrada para acceder a cualquier otro endpoint en api.github.com que no estuviera previsto. La versi\u00f3n 0.4.3 incluye un parche para este problema. No se conocen soluciones alternativas."}], "lastModified": "2025-06-26T18:57:43.670", "sourceIdentifier": "security-advisories@github.com"}