CVE-2026-59703
Received Received - Intake

Local File Inclusion in Repomix via Git Clone Endpoint

Vulnerability report for CVE-2026-59703, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/core/git/gitRemoteParse.ts fails to block file:// URLs, permitting attackers to supply file:// scheme URLs that bypass validation and are passed directly to git clone, enabling unauthorized access to all tracked file contents on the server filesystem.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The CVE-2026-59703 vulnerability allows unauthenticated attackers to read arbitrary local git repositories on the server filesystem, exposing sensitive configuration files, source code, and other tracked files. Since the server runs as root, this exposure can include highly sensitive data from CI/CD pipelines and mounted volumes.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. The exposure of confidential files and configurations could result in non-compliance due to inadequate protection of sensitive data.

Therefore, this vulnerability poses a significant risk to compliance with common security and privacy standards by enabling unauthorized data disclosure.

Executive Summary

CVE-2026-59703 is a Local File Inclusion (LFI) vulnerability in repomix's git clone endpoint. The vulnerability arises because the function responsible for validating remote URLs, isValidRemoteValue, fails to block URLs using the file:// scheme. This allows unauthenticated attackers to supply file:// URLs that bypass validation and are passed directly to the git clone command.

As a result, attackers can make the server clone local git repositories on its filesystem and read the contents of tracked files. Since the server runs as root, any git repository readable by root, including sensitive repositories from CI/CD pipelines or mounted volumes, can be accessed without authentication.

The exploit involves sending a crafted POST request to the /api/pack endpoint with a file:// URL pointing to a sensitive local git repository, causing the server to return the contents of the repository's tracked files (excluding .env files).

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in local git repositories on the server. Attackers can read source code, configuration files, and other tracked files that may contain secrets or proprietary information.

Because the server runs as root, the exposure is extensive, potentially including repositories from CI/CD pipelines, mounted volumes, or node_modules packages containing .git directories.

The impact is significant as it compromises confidentiality, exposing sensitive data without requiring any authentication or user interaction.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized POST requests to the /api/pack endpoint that include file:// URLs in the payload, which attempt to clone local git repositories.

You can inspect network traffic or server logs for requests containing file:// URL schemes targeting the git clone functionality.

For example, using command-line tools, you might search web server logs for suspicious requests:

  • grep -i 'file://' /var/log/nginx/access.log
  • grep -i 'file://' /var/log/httpd/access_log

Additionally, monitoring outgoing git clone commands or API calls that include file:// URLs can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves restricting the repository cloning functionality to only allow public HTTPS URLs and blocking file:// URLs and other potentially dangerous protocols.

Apply strict validation on URLs before invoking git clone, ensuring that protocols like file://, http://, ssh://, and git:// are blocked, as well as internal or private IP addresses.

If possible, update repomix to a version that includes the security fix (e.g., the commit c748b524f41225e7fc6f89ad0084520901a453cf) which enforces these restrictions.

In the short term, consider disabling or restricting access to the /api/pack endpoint to trusted users or networks until a patch can be applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart