{"id":"CVE-2025-22620","summary":"gix-worktree-state nonexclusive checkout sets executable files world-writable","details":"gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.","aliases":["GHSA-fqmf-w4xh-33rh","RUSTSEC-2025-0001"],"modified":"2026-05-18T05:57:25.266882075Z","published":"2025-01-20T15:38:32.388Z","related":["CGA-cg4v-5v2g-2745","openSUSE-SU-2025:14994-1"],"database_specific":{"cwe_ids":["CWE-281","CWE-687"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22620.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22620.json"},{"type":"ADVISORY","url":"https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-fqmf-w4xh-33rh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22620"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gitoxidelabs/gitoxide","events":[{"introduced":"0"},{"fixed":"d071583c5576fdf5f7717765ffed5681792aa81f"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.17.0"}],"source":"AFFECTED_FIELD"}}],"versions":["cargo-smart-release-v0.13.0","git-worktree-v0.6.0","git-url-v0.10.0","git-traverse-v0.18.0","git-transport-v0.21.0","git-sec-v0.4.1","git-revision-v0.6.0","git-repository-v0.25.0","git-refspec-v0.3.0","git-ref-v0.17.0","git-protocol-v0.21.0","git-packetline-v0.13.1","git-pack-v0.24.0","git-odb-v0.34.0","git-object-v0.22.0","git-mailmap-v0.5.0","git-index-v0.6.0","git-hash-v0.9.11","git-features-v0.23.0","git-discover-v0.6.0","git-diff-v0.20.0","git-credentials-v0.6.0","git-config-v0.9.0","git-attributes-v0.5.0","git-actor-v0.13.0","git-url-v0.8.0","git-features-v0.22.4","git-traverse-v0.16.4","git-repository-v0.23.1","git-discover-v0.4.2","git-diff-v0.18.1","git-hash-v0.9.7","git-features-v0.22.1","cargo-smart-release-v0.12.1","cargo-smart-release-v0.12.0","git-url-v0.7.3","git-traverse-v0.16.3","git-transport-v0.19.3","git-repository-v0.23.0","git-refspec-v0.1.1","git-ref-v0.15.4","git-protocol-v0.19.1","git-pack-v0.22.0","git-odb-v0.32.0","git-object-v0.20.3","git-diff-v0.18.0","git-config-v0.7.1","git-worktree-v0.4.3","git-testtools-v0.8.0","git-ref-v0.15.3","git-index-v0.4.3","git-attributes-v0.3.3","git-revision-v0.4.4","git-features-v0.22.3","git-worktree-v0.4.2","git-repository-v0.22.0","git-validate-v0.5.5","git-url-v0.7.2","git-traverse-v0.16.2","git-transport-v0.19.2","git-tempfile-v2.0.4","git-sec-v0.3.1","git-revision-v0.4.2","git-refspec-v0.1.0","git-ref-v0.15.2","git-quote-v0.2.1","git-protocol-v0.19.0","git-packetline-v0.12.7","git-pack-v0.21.2","git-odb-v0.31.2","git-object-v0.20.2","git-mailmap-v0.3.2","git-lock-v2.1.1","git-index-v0.4.2","git-hash-v0.9.8","git-glob-v0.3.2","git-features-v0.22.2","git-discover-v0.4.1","git-diff-v0.17.2","git-date-v0.0.5","git-credentials-v0.4.0","git-config-v0.7.0","git-chunk-v0.3.1","git-bitmap-v0.1.2","git-attributes-v0.3.2","git-actor-v0.11.3","git-path-v0.4.1","git-revision-v0.4.1","git-repository-v0.21.1","git-date-v0.0.4","git-actor-v0.11.2","v0.14.0","gitoxide-core-v0.16.0","git-commitgraph-v0.8.1","git-worktree-v0.4.1","git-repository-v0.21.0","git-url-v0.7.1","git-traverse-v0.16.1","git-transport-v0.19.1","git-tempfile-v2.0.3","git-revision-v0.4.0","git-ref-v0.15.1","git-protocol-v0.18.1","git-packetline-v0.12.6","git-pack-v0.21.1","git-odb-v0.31.1","git-object-v0.20.1","git-mailmap-v0.3.1","git-index-v0.4.1","git-discover-v0.4.0","git-diff-v0.17.1","git-date-v0.0.3","git-config-v0.6.1","git-bitmap-v0.1.1","git-attributes-v0.3.1","git-actor-v0.11.1","v0.13.0","gitoxide-core-v0.15.0","git-worktree-v0.4.0","git-repository-v0.20.0","git-commitgraph-v0.8.0","git-url-v0.7.0","git-traverse-v0.16.0","git-transport-v0.19.0","git-revision-v0.3.0","git-protocol-v0.18.0","git-pack-v0.21.0","git-odb-v0.31.0","git-mailmap-v0.3.0","git-index-v0.4.0","git-discover-v0.3.0","git-diff-v0.17.0","git-credentials-v0.3.0","git-config-v0.6.0","git-tempfile-v2.0.2","git-sec-v0.3.0","git-ref-v0.15.0","git-path-v0.4.0","git-object-v0.20.0","git-hash-v0.9.6","git-glob-v0.3.1","git-features-v0.22.0","git-date-v0.0.2","git-attributes-v0.3.0","git-actor-v0.11.0","git-sec-v0.1.2","git-discover-v0.1.3","cargo-smart-release-v0.10.2","git-repository-v0.18.1","git-path-v0.1.3","git-discover-v0.1.2","cargo-smart-release-v0.10.1","git-sec-v0.1.1","git-repository-v0.18.0","git-path-v0.1.2","git-pack-v0.19.1","git-discover-v0.1.1","git-config-v0.4.0","cargo-smart-release-v0.10.0","git-worktree-v0.2.0","git-repository-v0.17.0","git-url-v0.5.0","git-traverse-v0.15.0","git-transport-v0.17.0","git-revision-v0.2.0","git-ref-v0.13.0","git-protocol-v0.16.0","git-packetline-v0.12.5","git-pack-v0.19.0","git-odb-v0.29.0","git-mailmap-v0.2.0","git-index-v0.3.0","git-discover-v0.1.0","git-validate-v0.5.4","git-sec-v0.1.0","git-path-v0.1.1","git-object-v0.19.0","git-lock-v2.1.0","git-hash-v0.9.4","git-glob-v0.3.0","git-features-v0.21.0","git-diff-v0.16.0","git-credentials-v0.1.0","git-config-v0.3.0","git-attributes-v0.1.0","git-actor-v0.10.0","v0.12.0","gitoxide-core-v0.14.0","git-revision-v0.1.0","git-repository-v0.16.0","git-traverse-v0.14.0","git-ref-v0.12.1","git-pack-v0.18.0","git-odb-v0.28.0","git-diff-v0.15.0","git-config-v0.2.1","git-testtools-v0.6.0","v0.11.0","gitoxide-core-v0.13.0","git-commitgraph-v0.7.0","git-worktree-v0.1.0","git-url-v0.4.0","git-traverse-v0.13.0","git-transport-v0.16.0","git-tempfile-v2.0.1","git-repository-v0.15.0","git-ref-v0.12.0","git-quote-v0.2.0","git-protocol-v0.15.0","git-packetline-v0.12.4","git-pack-v0.17.0","git-odb-v0.27.0","git-mailmap-v0.1.0","git-lock-v2.0.0","git-index-v0.2.0","git-diff-v0.14.0","git-bitmap-v0.1.0","cargo-smart-release-v0.9.0","git-object-v0.18.0","git-actor-v0.9.0","git-config-v0.2.0","git-features-v0.20.0","git-hash-v0.9.3","git-note-v0.0.0","git-mailmap-v0.0.0","git-quote-v0.1.0","git-pathspec-v0.0.0","git-attributes-v0.0.0","git-tempfile-v2.0.0","git-tempfile-v1.0.6","git-actor-v0.8.1","git-revision-v0.0.0","git-pack-v0.16.1","git-object-v0.17.1","git-hash-v0.9.2","git-tempfile-v1.0.5","git-config-v0.1.11","cargo-smart-release-v0.8.0","git-repository-v0.14.0","git-ref-v0.11.0","git-protocol-v0.14.0","git-url-v0.3.5","git-transport-v0.15.0","git-packetline-v0.12.3","git-odb-v0.26.0","git-traverse-v0.12.0","git-tempfile-v1.0.4","git-pack-v0.16.0","git-diff-v0.13.0","git-chunk-v0.3.0","git-object-v0.17.0","git-config-v0.1.10","git-actor-v0.8.0","git-features-v0.19.1","git-hash-v0.9.1","git-index-v0.1.0","git-hash-v0.9.0","git-features-v0.19.0","git-bitmap-v0.0.1","git-bitmap-v0.0.0","git-worktree-v0.0.0","git-chunk-v0.2.0","git-chunk-v0.1.0","git-traverse-v0.11.0","git-transport-v0.14.0","git-repository-v0.13.0","git-ref-v0.10.0","git-protocol-v0.13.0","git-packetline-v0.12.2","git-pack-v0.15.0","git-odb-v0.25.0","git-object-v0.16.0","git-diff-v0.12.0","git-config-v0.1.9","git-actor-v0.7.0","cargo-smart-release-v0.7.0","git-features-v0.18.0","git-repository-v0.12.0","cargo-smart-release-v0.6.0","git-traverse-v0.10.1","git-transport-v0.13.1","git-ref-v0.9.1","git-protocol-v0.12.1","git-packetline-v0.12.1","git-pack-v0.14.0","git-odb-v0.24.0","git-object-v0.15.1","git-diff-v0.11.1","git-config-v0.1.8","cargo-smart-release-v0.5.6","cargo-smart-release-v0.5.5","cargo-smart-release-v0.5.4","cargo-smart-release-v0.5.3","v0.10.0","cargo-smart-release-v0.5.2","cargo-smart-release-v0.5.1","cargo-smart-release-v0.5.0","gitoxide-core-v0.12.0","git-traverse-v0.10.0","git-transport-v0.13.0","git-repository-v0.11.0","git-ref-v0.9.0","git-protocol-v0.12.0","git-packetline-v0.12.0","git-pack-v0.13.0","git-odb-v0.23.0","git-object-v0.15.0","git-hash-v0.8.0","git-features-v0.17.0","git-diff-v0.11.0","git-commitgraph-v0.6.0","git-actor-v0.6.0","v0.9.0","gitoxide-core-v0.11.0","git-commitgraph-v0.5.0","git-validate-v0.5.3","git-url-v0.3.4","git-traverse-v0.9.0","git-transport-v0.12.0","git-tempfile-v1.0.3","git-repository-v0.10.0","git-ref-v0.8.0","git-protocol-v0.11.0","git-packetline-v0.11.0","git-pack-v0.12.0","git-odb-v0.22.0","git-object-v0.14.1","git-lock-v1.0.1","git-hash-v0.7.0","git-features-v0.16.5","git-diff-v0.10.0","git-config-v0.1.7","git-actor-v0.5.3","cargo-smart-release-v0.4.0","git-repository-v0.9.1","git-ref-v0.7.3","git-tempfile-v1.0.2","v0.8.4","gitoxide-core-v0.10.5","git-ref-v0.7.2","git-protocol-v0.10.4","git-odb-v0.21.3","git-tempfile-v1.0.1","git-repository-v0.9.0","git-ref-v0.7.1","git-odb-v0.21.2","git-pack-v0.11.0","git-traverse-v0.8.2","git-diff-v0.9.2","git-object-v0.14.0","git-actor-v0.5.2","cargo-smart-release-v0.3.1","v0.8.3","gitoxide-core-v0.10.4","git-commitgraph-v0.4.4","git-repository-v0.8.2","git-ref-v0.7.0","git-protocol-v0.10.3","git-packetline-v0.10.1","git-odb-v0.21.1","git-pack-v0.10.0","git-traverse-v0.8.1","git-diff-v0.9.1","git-object-v0.13.1","git-config-v0.1.6","git-actor-v0.5.1","git-features-v0.16.4","git-hash-v0.6.0","gitoxide-core-v0.10.3","git-protocol-v0.10.2","git-transport-v0.11.1","git-config-v0.1.5","git-commitgraph-v0.4.3","git-repository-v0.8.1","cargo-smart-release-v0.3.0","git-repository-v0.8.0","git-protocol-v0.10.1","git-ref-v0.6.0","git-protocol-v0.10.0","git-transport-v0.11.0","git-packetline-v0.10.0","git-odb-v0.21.0","git-pack-v0.9.0","git-traverse-v0.8.0","git-features-v0.16.3","git-diff-v0.9.0","git-object-v0.13.0","git-actor-v0.5.0","git-actor-v0.4.0","git-lock-v1.0.0","git-tempfile-v1.0.0","git-testtools-v0.5.0","v0.8.2","gitoxide-core-v0.10.2","git-config-v0.1.4","git-commitgraph-v0.4.2","git-repository-v0.7.2","git-ref-v0.5.4","git-lock-v0.3.2","git-protocol-v0.9.0","git-transport-v0.10.1","git-url-v0.3.3","git-packetline-v0.9.1","git-odb-v0.20.2","git-pack-v0.8.2","git-traverse-v0.7.2","git-tempfile-v0.6.1","git-diff-v0.8.2","git-object-v0.12.2","git-validate-v0.5.2","git-actor-v0.3.3","git-features-v0.16.2","git-hash-v0.5.1","cargo-smart-release-v0.2.4","cargo-smart-release-v0.2.3","cargo-smart-release-v0.2.2","git-ref-v0.5.3","v0.8.1","gitoxide-v0.8.1","gitoxide-v0.8.0","gitoxide-core-v0.10.1","git-config-v0.1.3","git-commitgraph-v0.4.1","cargo-smart-release-v0.2.1","cargo-smart-release-v0.2.0","cargo-smart-release-v0.1.0","git-repository-v0.7.1","git-ref-v0.5.2","git-protocol-v0.8.1","git-odb-v0.20.1","git-pack-v0.8.1","git-traverse-v0.7.1","git-diff-v0.8.1","git-object-v0.12.1","git-validate-v0.5.1","git-actor-v0.3.2","git-transport-v0.10.0","git-packetline-v0.9.0","git-traverse-v0.7.0","git-object-v0.12.0","git-pack-v0.8.0","git-odb-v0.20.0","git-diff-v0.8.0","git-actor-v0.3.1","git-lock-v0.3.1","git-lock-v0.3.0","git-packetline-v0.8.0","git-odb-v0.18.0","git-pack-v0.6.0","git-diff-v0.6.0","git-traverse-v0.5.0","git-packetline-v0.7.0","git-odb-v0.17.0","git-pack-v0.5.0","git-tempfile-v0.6.0","git-diff-v0.5.0","git-traverse-v0.4.0","git-object-v0.11.0","git-validate-v0.5.0","git-actor-v0.3.0","git-testtools-v0.4.0","git-odb-v0.16.1","gitoxide-core-v0.10.0","git-repository-v0.7.0","git-transport-v0.9.0","git-protocol-v0.8.0","git-packetline-v0.6.0","git-pack-v0.3.1","git-features-v0.16.1","git-diff-v0.4.1","git-traverse-v0.3.1","git-ref-v0.5.1","git-pack-v0.3.0","git-odb-v0.16.0","git-traverse-v0.3.0","git-ref-v0.5.0","git-object-v0.10.0","git-diff-v0.4.0","git-hash-v0.5.0","git-validate-v0.4.0","git-url-v0.3.2","git-features-v0.16.0","git-lock-v0.2.0","git-tempfile-v0.5.0","git-actor-v0.2.0","git-config-v0.1.2","git-actor-v0.1.1","git-actor-v0.1.0","git-lock-v0.1.0","git-tempfile-v0.4.0","git-tempfile-v0.3.0","git-tempfile-v0.2.0","git-lock-v0.0.0","git-tempfile-v0.1.0","git-testtools-v0.3.0","git-repository-v0.6.0","git-validate-v0.1.0","git-pack-v0.2.0","git-pack-v0.1.0","v0.7.0","git-config-v0.1.1","gitoxide-core-v0.9.0","git-protocol-v0.7.0","git-transport-v0.8.0","git-packetline-v0.5.0","git-odb-v0.15.0","git-diff-v0.3.0","git-traverse-v0.2.0","git-object-v0.9.0","git-features-v0.14.0","git-odb-v0.14.0","git-diff-v0.2.0","git-traverse-v0.1.0","git-traverse-v0.0.0","git-diff-v0.1.0","git-testtools-v0.1.0","git-odb-v0.12.0","git-object-v0.8.0","git-hash-v0.3.0","git-features-v0.13.0","git-diff-v0.0.0","gitoxide-core-v0.8.0","git-repository-v0.5.0","git-protocol-v0.6.0","git-transport-v0.7.0","git-odb-v0.10.0","git-object-v0.7.0","git-commitgraph-v0.4.0","git-features-v0.12.0","git-hash-v0.2.0","git-odb-v0.9.1","git-odb-v0.9.0","git-protocol-v0.5.0","git-transport-v0.6.0","git-url-v0.3.0","git-config-v0.1.0","git-commitgraph-v0.3.2","git-odb-v0.8.0","git-odb-v0.7.1","git-features-v0.11.0","git-features-v0.10.1","git-url-v0.2.0","git-hash-v0.1.2","git-commitgraph-v0.3.1","git-protocol-v0.4.1","git-transport-v0.5.1","end-2020","git-packetline-v0.4.1","git-ref-v0.4.1","git-url-v0.1.1","v0.6.0","gitoxide-core-v0.7.0","git-transport-v0.5.0","git-protocol-v0.4.0","git-odb-v0.7.0","git-object-v0.6.0","git-hash-v0.1.1","git-commitgraph-v0.3.0","git-features-v0.10.0","git-hash-v0.1.0","v0.5.0","gitoxide-core-v0.6.0","git-protocol-v0.3.0","git-transport-v0.4.0","git-packetline-v0.4.0","git-odb-v0.6.0","git-commitgraph-v0.2.0","git-features-v0.9.0","git-object-v0.5.0","git-protocol-v0.2.0","git-transport-v0.3.0","git-packetline-v0.3.0","git-odb-v0.5.0","git-features-v0.8.0","git-odb-v0.4.2","git-features-v0.7.0","git-config-v0.0.0","git-commitgraph-v0.1.2","git-commitgraph-v0.1.1","git-commitgraph-v0.1.0","v0.4.0","gitoxide-core-v0.4.0","git-repository-v0.4.0","git-protocol-v0.1.0","git-odb-v0.4.0","git-object-v0.4.0","git-url-v0.1.0","git-transport-v0.2.0","git-packetline-v0.2.0","git-ref-v0.4.0","git-features-v0.5.0","git-index-v0.0.0","git-commitgraph-v0.0.0","git-packetline-v0.1.0","git-features-v0.4.0","git-url-v0.0.0","git-protocol-v0.0.0","v0.3.0","gitoxide-core-v0.3.0","git-repository-v0.3.0","git-ref-v0.3.0","git-odb-v0.3.0","git-object-v0.3.0","git-features-v0.3.0","git-tui-v0.0.0","git-ref-v0.2.0","git-features-v0.2.0","git-ref-v0.1.0","v0.1.0","gitoxide-core-v0.1.0","git-transport-v0.0.0","git-repository-v0.1.0","git-odb-v0.1.0","git-object-v0.1.0","git-features-v0.1.0","the-beginning-2020"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22620.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"}]}