Use of Incorrectly-Resolved Name or Reference in gix-path - CVE-2024-45305
Published: August 31, 2024 / Updated: May 5, 2026
gix-path
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of incorrectly resolved name or reference in gix_path::env installation_config and installation_config_prefix when parsing the output of git config -l --show-origin to determine the installation configuration path. A remote attacker can cause local repository configuration to be treated as installation-wide configuration to disclose sensitive information.
User interaction is required, and exploitation occurs in uncommon situations where higher-scoped Git configuration is absent or deliberately disabled, such as when operating on one repository while located inside another repository.