GHSA-g27r-r6ph-vf5r

Source

https://github.com/advisories/GHSA-g27r-r6ph-vf5r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g27r-r6ph-vf5r/GHSA-g27r-r6ph-vf5r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g27r-r6ph-vf5r

Aliases

RUSTSEC-2026-0109

Published

2026-05-04T22:28:50Z

Modified

2026-05-06T06:56:26.102307095Z

Severity

1.8 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

sequoia-git has broken hard revocation handling

Details

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies that it had already seen keyed on the policy's hash. Unfortunately, due to a bug the hash was truncated to be 0 bytes and thus only hard revocations in the target commit were considered. Normally this is not a problem as hard revocations are not removed from the signing policy.

An attacker could nevertheless exploit this flaw as follows. Consider Alice and Bob who maintain a project together. If Bob's certificate is compromised and Bob issues a hard revocation, Alice can add it to the project's signing policy. An attacker who has access to Bob's key can then create a merge request that strips the hard revocation. If Alice merges Bob's merge request, then the latest commit will not carry the hard revocation, and sq-git will not see the hard revocation when authenticating that commit or any following commits.

Note: for this attack to be successful, Alice needs to be tricked into merging the malicious MR. If Alice is reviewing MRs, then she is likely to notice changes to the signing policy.

Reported-by: Hassan Sheet

Database specific

{
    "cwe_ids": [
        "CWE-299"
    ],
    "github_reviewed_at": "2026-05-04T22:28:50Z",
    "github_reviewed": true,
    "severity": "LOW",
    "nvd_published_at": null
}

References

Affected packages

crates.io / sequoia-git

Package

Name: sequoia-git; View open source insights on deps.dev
Purl: pkg:cargo/sequoia-git

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g27r-r6ph-vf5r/GHSA-g27r-r6ph-vf5r.json"