Improper Resolution of Path Equivalence in gix-path - CVE-2024-45405
Published: September 6, 2024 / Updated: May 5, 2026
gix-path
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper resolution of path equivalence in gix_path::env installation_config and installation_config_prefix when parsing the path reported by git config -l --show-origin. A local user can create a crafted configuration path that is resolved to an attacker-controlled file to execute arbitrary code.
User interaction is required, and exploitation is only plausible in uncommon multi-user or unusually configured environments.