CVE-2026-59703: repomix Local File Inclusion Vulnerability
repomix contains a local file inclusion vulnerability (CVE-2026-59703) in its git clone endpoint, allowing unauthenticated attackers to read arbitrary local git repositories and server filesystem contents by bypassing validation with crafted file:// URLs.
A critical local file inclusion vulnerability, identified as CVE-2026-59703, has been discovered in repomix, a tool for managing git repositories. This flaw allows unauthenticated attackers to read arbitrary local git repositories and sensitive server filesystem contents. The vulnerability stems from the isValidRemoteValue function in src/core/git/gitRemoteParse.ts, which fails to block file:// URLs. Attackers can supply these specially crafted file:// scheme URLs via the git clone endpoint, bypassing validation and causing the application to pass them directly to the underlying git clone command. This enables unauthorized access to tracked files on the server. The vulnerability impacts repomix versions prior to 1.14.1. The advisory was published on July 8, 2026, highlighting the immediate need for organizations using vulnerable repomix instances to upgrade or implement protective measures to prevent data exfiltration.
Attack Chain
- Unauthenticated attacker identifies a public-facing
repomixinstance vulnerable to CVE-2026-59703 (versions < 1.14.1). - The attacker crafts an HTTP POST or GET request targeting the
repomixgit cloneendpoint, embedding afile://URI in theremoteparameter, e.g.,/git/clone?remote=file:///etc/passwd. - The
isValidRemoteValuefunction insrc/core/git/gitRemoteParse.tsfails to properly validate and block thefile://scheme URL. repomixpasses the attacker-suppliedfile://URI directly to the underlyinggit clonecommand.- The
git clonecommand attempts to access and clone the local file path specified by thefile://URI (e.g.,/etc/passwd). - The
repomixapplication returns the content of the targeted local file or directory within the HTTP response to the attacker. - This allows the unauthenticated attacker to read arbitrary local git repositories and other sensitive server filesystem contents, leading to data exfiltration.
Impact
Successful exploitation of CVE-2026-59703 allows unauthenticated attackers to achieve local file inclusion, leading to the unauthorized disclosure of sensitive information. This includes access to arbitrary local git repositories, configuration files (e.g., /etc/passwd, database credentials), source code, and other proprietary data stored on the server's filesystem. While no specific victim count or targeted sectors have been disclosed, any organization using vulnerable repomix instances is at risk of significant data exfiltration and potential further compromise if credentials or other sensitive information are discovered through this vulnerability.
Recommendation
- Patch CVE-2026-59703 by upgrading
repomixto version 1.14.1 or higher immediately. - Deploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-59703 by monitoring webserver logs for
file://URLs ingit clonerequests. - Implement a Web Application Firewall (WAF) rule to block HTTP requests to the
git cloneendpoint containingfile://URI schemes in request parameters, as described in the attack chain.
Detection coverage 1
Detects CVE-2026-59703 Exploitation - repomix LFI via file:// URL in git clone
highDetects CVE-2026-59703 exploitation - HTTP requests to the repomix git clone endpoint containing file:// URLs in parameters, indicating a local file inclusion attempt.
Detection queries are available on the platform. Get full rules →