gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule | Advisories

Advisories

gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule

severity: high
date: 5/26/2026
Affecting: gitoxide < 0.82.0
CVE: CVE-2026-40034
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVSS: 7.3
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-f26g-jm89-4g65
https://github.com/GitoxideLabs/gitoxide/commit/6a2e6a436f76c8bbf2487f9967413a51356667a0
https://github.com/GitoxideLabs/gitoxide/commit/dd5c18d9e526e8de462fa40aa047acd097cfa7dc
Anthropic CVD Finding ANT-2026-6SNS6KMP
Description: gix-submodule before 0.82.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo