CVE-2026-44471: CWE-59: Improper Link Resolution Before File Access ('Link Following') in GitoxideLabs gitoxide
CVE-2026-44471 is a high-severity vulnerability in gitoxide versions prior to 0. 21. 1. It involves improper link resolution before file access, allowing a maliciously crafted git tree to write attacker-controlled symbolic links into any directory where the user has write permissions during checkout. The issue arises from a flaw in how symlink entries are deferred and created, bypassing certain directory checks and enabling symlink creation that follows parent directory links unsafely. This vulnerability is fixed in gitoxide version 0. 21. 1.
AI Analysis
Technical Summary
gitoxide, a Rust implementation of git, versions before 0.21.1 contain a CWE-59 (Improper Link Resolution Before File Access) vulnerability. During checkout, symlink index entries are deferred and created after regular files using a shared stack structure. The caching of validated path prefixes causes a bypass of critical checks that normally prevent unsafe symlink creation. Specifically, the on-disk symlink metadata check and unlink-on-collision logic are skipped for cached prefixes, allowing creation of symlinks that follow parent directories. This can be exploited by providing a tree with duplicate symlink and directory entries, enabling writing attacker-controlled symlinks into arbitrary directories writable by the user. The vulnerability is resolved in version 0.21.1.
Potential Impact
Successful exploitation allows an attacker to write symbolic links controlled by the attacker into any directory where the user has write access during a git checkout operation. This can lead to arbitrary file system modifications, potentially resulting in code execution, privilege escalation, or disruption of system integrity. The CVSS 3.1 base score is 7.8 (High), reflecting the local attack vector, low complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix for this vulnerability is available in gitoxide version 0.21.1. Users and administrators should upgrade to version 0.21.1 or later to remediate this issue. No other vendor advisories or temporary mitigations are provided. Patch status is confirmed by the vendor's versioning information.
CVE-2026-44471: CWE-59: Improper Link Resolution Before File Access ('Link Following') in GitoxideLabs gitoxide
Description
CVE-2026-44471 is a high-severity vulnerability in gitoxide versions prior to 0. 21. 1. It involves improper link resolution before file access, allowing a maliciously crafted git tree to write attacker-controlled symbolic links into any directory where the user has write permissions during checkout. The issue arises from a flaw in how symlink entries are deferred and created, bypassing certain directory checks and enabling symlink creation that follows parent directory links unsafely. This vulnerability is fixed in gitoxide version 0. 21. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
gitoxide, a Rust implementation of git, versions before 0.21.1 contain a CWE-59 (Improper Link Resolution Before File Access) vulnerability. During checkout, symlink index entries are deferred and created after regular files using a shared stack structure. The caching of validated path prefixes causes a bypass of critical checks that normally prevent unsafe symlink creation. Specifically, the on-disk symlink metadata check and unlink-on-collision logic are skipped for cached prefixes, allowing creation of symlinks that follow parent directories. This can be exploited by providing a tree with duplicate symlink and directory entries, enabling writing attacker-controlled symlinks into arbitrary directories writable by the user. The vulnerability is resolved in version 0.21.1.
Potential Impact
Successful exploitation allows an attacker to write symbolic links controlled by the attacker into any directory where the user has write access during a git checkout operation. This can lead to arbitrary file system modifications, potentially resulting in code execution, privilege escalation, or disruption of system integrity. The CVSS 3.1 base score is 7.8 (High), reflecting the local attack vector, low complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix for this vulnerability is available in gitoxide version 0.21.1. Users and administrators should upgrade to version 0.21.1 or later to remediate this issue. No other vendor advisories or temporary mitigations are provided. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T17:18:51.782Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04f261cbff5d8610128026
Added to database: 5/13/2026, 9:51:29 PM
Last enriched: 5/13/2026, 10:06:21 PM
Last updated: 5/13/2026, 11:03:21 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.