GHSA-794x-2rpg-rfgr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-794x-2rpg-rfgr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-794x-2rpg-rfgr/GHSA-794x-2rpg-rfgr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-794x-2rpg-rfgr
- Published
- 2025-04-07T16:40:25Z
- Modified
- 2025-04-07T16:40:25Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
- Summary
- Jujutsu does not have SHA-1 collision detection
- Details
-
Summary
Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.
Details
This is a result of the underlying CVE-2025-31130 / GHSA-2frx-2596-x5r6 vulnerability in the gitoxide library Jujutsu uses to interact with Git repositories; see that advisory for technical details. This separate advisory is being issued due to the downstream impact on users of Jujutsu.
Impact
An attacker with the ability to mount a collision attack on SHA-1 like the SHAttered or SHA-1 is a Shambles attacks could create two distinct Git objects with the same hash. This is becoming increasingly affordable for well‐resourced attackers, with the Shambles researchers in 2020 estimating $45k for a chosen‐prefix collision or $11k for a classical collision, and projecting less than $10k for a chosen‐prefix collision by 2025. The result could be used to disguise malicious repository contents, or potentially exploit assumptions in Jujutsu’s logic to cause further vulnerabilities.
- Database specific
{ "github_reviewed": true, "nvd_published_at": null, "cwe_ids": [ "CWE-328" ], "github_reviewed_at": "2025-04-07T16:40:25Z", "severity": "MODERATE" }- References
Affected packages
crates.io / jj-lib
Package
- Name
- jj-lib
- View open source insights on deps.dev
- Purl
- pkg:cargo/jj-lib
crates.io / jj-cli
Package
- Name
- jj-cli
- View open source insights on deps.dev
- Purl
- pkg:cargo/jj-cli