CVE-2023-53158

MEDIUM4.1EPSS 0.07%

gix-transport code execution vulnerability

Published: 9/25/2023Modified: 10/28/2025

Also known as:GHSA-rrjw-j4m2-mf34RUSTSEC-2023-0064

Description

The `gix-transport` crate prior to the patched version 0.36.1 would allow attackers to use malicious ssh clone URLs to pass arbitrary arguments to the `ssh` program, leading to arbitrary code execution. PoC: `gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'` This will launch a calculator on OSX. See <https://secure.phabricator.com/T12961> for more details on similar vulnerabilities in `git`. Thanks to [vin01](https://github.com/vin01) for disclosing the issue.

Affected packages (2)

crates.io/gix-transportfrom 0, < 0.36.1
crates.io/gix-transport>= 0.0.0-0, < 0.36.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.1	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-53158
PATCHhttps://crates.io/crates/gix-transport
PATCHhttps://github.com/GitoxideLabs/gitoxide
WEBhttps://github.com/Byron/gitoxide/pull/1032
WEBhttps://github.com/GitoxideLabs/gitoxide/pull/1032
WEBhttps://rustsec.org/advisories/RUSTSEC-2023-0064.html
WEBhttps://secure.phabricator.com/T12961