GHSA-794X-2RPG-RFGR
Vulnerability from github – Published: 2025-04-07 16:40 – Updated: 2025-04-07 16:40Summary
Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.
Details
This is a result of the underlying CVE-2025-31130 / GHSA-2frx-2596-x5r6 vulnerability in the gitoxide library Jujutsu uses to interact with Git repositories; see that advisory for technical details. This separate advisory is being issued due to the downstream impact on users of Jujutsu.
Impact
An attacker with the ability to mount a collision attack on SHA-1 like the SHAttered or SHA-1 is a Shambles attacks could create two distinct Git objects with the same hash. This is becoming increasingly affordable for well‐resourced attackers, with the Shambles researchers in 2020 estimating $45k for a chosen‐prefix collision or $11k for a classical collision, and projecting less than $10k for a chosen‐prefix collision by 2025. The result could be used to disguise malicious repository contents, or potentially exploit assumptions in Jujutsu’s logic to cause further vulnerabilities.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "jj-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.28.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "jj-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.28.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-328"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-07T16:40:25Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nJujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.\n\n### Details\nThis is a result of the underlying [CVE-2025-31130 / GHSA-2frx-2596-x5r6](https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6) vulnerability in the gitoxide library Jujutsu uses to interact with Git repositories; see that advisory for technical details. This separate advisory is being issued due to the downstream impact on users of Jujutsu.\n\n### Impact\nAn attacker with the ability to mount a collision attack on SHA-1 like the [SHAttered](https://shattered.io/) or [SHA-1 is a Shambles](https://sha-mbles.github.io/) attacks could create two distinct Git objects with the same hash. This is becoming increasingly affordable for well\u2010resourced attackers, with the Shambles researchers in 2020 estimating $45k for a chosen\u2010prefix collision or $11k for a classical collision, and projecting less than $10k for a chosen\u2010prefix collision by 2025. The result could be used to disguise malicious repository contents, or potentially exploit assumptions in Jujutsu\u2019s logic to cause further vulnerabilities.",
"id": "GHSA-794x-2rpg-rfgr",
"modified": "2025-04-07T16:40:25Z",
"published": "2025-04-07T16:40:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jj-vcs/jj/security/advisories/GHSA-794x-2rpg-rfgr"
},
{
"type": "WEB",
"url": "https://github.com/jj-vcs/jj/commit/350da7d013773377aec0d3a4bf4374d3c941460e"
},
{
"type": "PACKAGE",
"url": "https://github.com/jj-vcs/jj"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jujutsu does not have SHA-1 collision detection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.