Rust is a multi-paradigm programming language focused on performance and safety, especially safe concurrency.

Rust

### Summary
Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.
### Details
This is a result of the underlying [CVE-2025-31130 / GHSA-2frx-2596-x5r6](https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6) vulnerability in the gitoxide library Jujutsu uses to interact with Git repositories; see that advisory for technical details. This separate advisory is being issued due to the downstream impact on users of Jujutsu.
### Impact
An attacker with the ability to mount a collision attack on SHA-1 like the [SHAttered](https://shattered.io/) or [SHA-1 is a Shambles](https://sha-mbles.github.io/) attacks could create two distinct Git objects with the same hash. This is becoming increasingly affordable for well‐resourced attackers, with the Shambles researchers in 2020 estimating $45k for a chosen‐prefix collision or $11k for a classical collision, and projecting less than $10k for a chosen‐prefix collision by 2025. The result could be used to disguise malicious repository contents, or potentially exploit assumptions in Jujutsu’s logic to cause further vulnerabilities.

GHSA-794x-2rpg-rfgr:
Rust vulnerability analysis and mitigation

Overview

Technical details

Impact

Mitigation and workarounds

Additional resources

6.8

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud threat landscape

PEACH

Ready to see Wiz in action?

GHSA-794x-2rpg-rfgr: Rust vulnerability analysis and mitigation