CVE-2025-31130: 
Rust vulnerability analysis and mitigation

gitoxide is an implementation of git written in Rust. Before version 0.42.0, gitoxide was found to be vulnerable to SHA-1 hash collision attacks due to its use of SHA-1 hash implementations without collision detection. The vulnerability was discovered and disclosed on April 4, 2025, and affects multiple components including gitoxide-core, gix, and related packages (GitHub Advisory).

The vulnerability stems from gitoxide's use of the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This implementation allows two distinct Git objects with colliding SHA-1 hashes to break the Git object model and integrity checks. The vulnerability has been assigned a CVSS v3.1 score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N, indicating it can be exploited remotely but requires high attack complexity (GitHub Advisory).

An attacker with sufficient resources to mount a SHA-1 collision attack could create two distinct Git objects with the same hash. As of 2020, such attacks were estimated to cost around $45,000 for a chosen-prefix collision or $11,000 for a classical collision, with projections suggesting costs below $10,000 by 2025. This could be exploited to disguise malicious repository contents or potentially exploit assumptions in programs using gitoxide. The vulnerability affects any user of gitoxide, including gix-* library crates, that reads or writes Git objects (GitHub Advisory).

The vulnerability has been fixed in gitoxide version 0.42.0 and corresponding versions of related packages. Users are recommended to upgrade to these patched versions: gitoxide >= 0.42.0, gitoxide-core >= 0.46.0, gix >= 0.71.0, and other related packages to their respective fixed versions (GitHub Advisory).