CVE-2025-50178
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-25

Last updated on: 2025-06-26

Assigner: GitHub, Inc.

Description
GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 0.4.3 lack input validation for user provided values in certain functions. In the `GitForge.get_repo` function for GitHub, the user can provide any string for the owner and repo fields. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like `../` in the input to access any other endpoints on api.github.com that were not intended. Version 0.4.3 contains a patch for the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-25
Last Modified
2025-06-26
Generated
2026-05-07
AI Q&A
2025-06-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-50178
EUVD
EUVD-2025-28369
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in GitForge.jl versions prior to 0.4.3 is due to a lack of input validation in the GitForge.get_repo() function. User-supplied strings for the 'owner' and 'repo' fields are not validated or safely encoded before being sent to the GitHub API server. This allows an attacker to inject path traversal sequences like '../' into these inputs, potentially enabling unauthorized access to unintended endpoints on api.github.com. [1]


How can this vulnerability impact me? :

The vulnerability can allow an attacker to perform unauthorized API calls by injecting path traversal patterns in the inputs, potentially accessing endpoints on api.github.com that were not intended to be accessible. This could lead to exposure of sensitive data or unauthorized actions via the GitHub API through GitForge.jl. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade GitForge.jl to version 0.4.3 or later, which contains the patch that properly validates and safely encodes user inputs in the GitForge.get_repo function, preventing path traversal attacks. No workarounds are available for earlier versions. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart