CVE-2025-22620

NameCVE-2025-22620
Descriptiongitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1093883

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-gix-worktree-state (PTS)sid, trixie0.14.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-gix-worktree-statesource(unstable)0.11.1-21093883

Notes

https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-fqmf-w4xh-33rh
https://rustsec.org/advisories/RUSTSEC-2025-0001.html
Search for package or bug name: Reporting problems