Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-22620 PoC — gix-worktree-state nonexclusive checkout sets executable files world-writable

Source
https://github.com/EliahKagan/checkout-index
Associated Vulnerability
Title:gix-worktree-state nonexclusive checkout sets executable files world-writable (CVE-2025-22620)
Description:gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.
Description
Reproducer for CVE-2025-22620
Readme
# checkout-index - Reproducer for CVE-2025-22620

This is the proof of concept code for [RUSTSEC-2025-0001](https://rustsec.org/advisories/RUSTSEC-2025-0001.html) (CVE-2025-22620, [GHSA-fqmf-w4xh-33rh](https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-fqmf-w4xh-33rh). It is the same code as in the advisory, but in the form of a Rust project, with `Cargo.toml` and `Cargo.lock` included.

The `main` branch has the version of the code presented in step 2 of the advisory, while the `unaffected-case` branch has the modification described in step 7 to show the effect of explicitly setting `destination_is_initially_empty: true`.

This repo was useful while writing the advisory, and I figured it might occasionally be useful to others. However, I expect this to be of much less interest than the advisory, and also this is not a substitute for the information in the advisory. As noted in the advisory, the vulnerability is fixed in `gix-worktree-state` 0.17.0.

## License

[**CC0-1.0**](COPYING), same as [the RUSTSEC advisory](https://rustsec.org/advisories/RUSTSEC-2025-0001.html).
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →