CVE-2023-53158
BaseFortify
Publication date: 2025-07-28
Last updated on: 2025-07-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitoxide | gix-transport | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-53158 is a command execution vulnerability in the gix-transport Rust crate before version 0.36.1. It occurs because the crate improperly sanitizes the username portion of SSH clone URLs, allowing attackers to inject malicious SSH options. Specifically, if the username in an SSH URL starts with a hyphen, it can be interpreted as an SSH command-line option, enabling attackers to smuggle options like -oProxyCommand that execute arbitrary commands. Exploitation typically requires cloning or fetching a repository using a crafted SSH URL and may also require placing a malicious SSH configuration file in the current directory. This vulnerability allows arbitrary code execution in the context of the user running the git operation. The issue was fixed by stricter sanitization of URL arguments in later versions. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on your system if you clone or fetch a Git repository using a maliciously crafted SSH URL. An attacker can exploit this by injecting SSH options that cause the execution of arbitrary commands, such as launching applications or running scripts. The attack requires user interaction (e.g., running a clone command with the malicious URL) and may also require the presence of a malicious SSH configuration file in the current working directory. If exploited, it could compromise the security of your environment by executing unauthorized code with your user privileges. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for usage of the `gix clone` command with suspicious SSH URLs that include option-like substrings such as `ssh://-oProxyCommand=...`. Specifically, commands that attempt to clone repositories using SSH URLs starting with a hyphen or containing unusual SSH options should be flagged. For example, you can search shell history or logs for commands like `gix clone 'ssh://-oProxyCommand=open$IFS...'`. Additionally, inspecting SSH command invocations or audit logs for unusual SSH arguments may help detect exploitation attempts. There is no specific built-in detection command provided, but monitoring for suspicious clone URLs and command-line arguments related to SSH in `gix-transport` usage is recommended. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the `gix-transport` crate to version 0.36.1 or later, as the vulnerability is patched in that version. If you are using the `gix` tool, upgrade to version 0.62.0 or later, which includes stricter sanitization preventing malicious SSH URL arguments. Additionally, avoid cloning or fetching from untrusted repositories or URLs that could contain malicious SSH options. Ensure that no malicious SSH configuration files are present in the current working directory to prevent exploitation via the `-F` option. Applying these updates and precautions will prevent arbitrary code execution via this vulnerability. [1, 3]