JLSEC-2025-185

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-185.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-185.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2025-185

Upstream

CVE-2024-24575

Published

2025-10-21T19:17:09.363Z

Modified

2025-11-06T23:03:29.403358Z

Summary

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a...

Details

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to git_revparse_single can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in src/libgit2/revparse.c uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2.

Database specific

{
    "sources": [
        {
            "id": "CVE-2024-24575",
            "published": "2024-02-06T22:16:15.057Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-24575",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24575",
            "modified": "2024-11-21T08:59:27.280Z",
            "imported": "2025-10-21T17:12:53.562Z"
        }
    ],
    "license": "CC-BY-4.0"
}

References

Affected packages

Julia / LibGit2_jll

Package

Name: LibGit2_jll
Purl: pkg:julia/LibGit2_jll?uuid=e37daf67-58a4-590a-8e99-b0245dd2ffc5

Affected ranges

Type: SEMVER
Events: Introduced

1.4.3+0

Fixed

1.7.2+0