RUSTSEC-2025-0021: 
Rust vulnerability analysis and mitigation

gitoxide, an implementation of git written in Rust, was found to be vulnerable to SHA-1 hash collision attacks prior to version 0.42.0. The vulnerability, identified as RUSTSEC-2025-0021 (CVE-2025-31130), was discovered and disclosed in April 2025. The issue affects multiple components of the gitoxide ecosystem, including the core library and various gix-* crates (GitHub Advisory).

The vulnerability stems from gitoxide's use of the sha1_smol or sha1 crate implementations, which provide standard SHA-1 functionality without any collision detection mechanisms. These implementations lack the necessary mitigations that were introduced in Git 2.13.0 (2017) through the sha1collisiondetection algorithm. The issue has been assigned a CVSS score of 6.8 (Moderate), with attack vector being Network, attack complexity High, and no privileges required (GitHub Advisory).

An attacker capable of mounting a SHA-1 collision attack could create two distinct Git objects with identical hashes. By 2025, the cost of such attacks was projected to be less than $10,000 for a chosen-prefix collision. This could be exploited to disguise malicious repository contents or potentially exploit logical assumptions in programs using gitoxide. The vulnerability affects any implementation that reads or writes Git objects using gitoxide or its associated gix-* library crates (GitHub Advisory).

The vulnerability has been fixed in gitoxide version 0.42.0 and corresponding versions of related packages: gix 0.71.0, gix-core 0.46.0, and various other gix-* crates. Users are advised to upgrade to these patched versions (GitHub Advisory).