{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gix-pack--0.68.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gix-pack (\u003c= 0.68.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","git","gitoxide","gix-pack"],"_cs_type":"advisory","_cs_vendors":["rust"],"content_html":"\u003cp\u003eThe \u003ccode\u003egix-pack\u003c/code\u003e library, a Rust implementation of Git packfile handling, contains multiple denial-of-service (DoS) vulnerabilities. Specifically, unchecked array indexing in delta processing can lead to panics, and uncapped memory allocation based on attacker-controlled size headers allows for out-of-memory (OOM) attacks. These vulnerabilities are triggered when processing malicious pack data during clone or fetch operations.  The affected versions are \u003ccode\u003egix-pack\u003c/code\u003e \u0026lt;= 0.68.0. This poses a risk to any application built on gitoxide that clones or fetches from an untrusted remote, including the \u003ccode\u003egix\u003c/code\u003e CLI, applications using the \u003ccode\u003egix\u003c/code\u003e crate, and CI/CD systems cloning repositories using gitoxide. A crafted pack entry claiming a multi-terabyte size triggers an immediate process kill, which constitutes a single-packet process kill with no recovery.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Git packfile containing either truncated delta data or an entry with an extremely large \u003ccode\u003edecompressed_size\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA user or automated system initiates a \u003ccode\u003egit clone\u003c/code\u003e or \u003ccode\u003egit fetch\u003c/code\u003e operation from a repository controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egix-pack\u003c/code\u003e library attempts to parse the crafted packfile.\u003c/li\u003e\n\u003cli\u003eIf the packfile contains truncated delta data, the \u003ccode\u003eapply()\u003c/code\u003e function in \u003ccode\u003egix-pack/src/data/delta.rs\u003c/code\u003e attempts to access array indices beyond the bounds of the data buffer, leading to a panic. Alternatively, the \u003ccode\u003eparse_header_info()\u003c/code\u003e function in \u003ccode\u003egix-pack/src/data/entry/decode.rs\u003c/code\u003e can also panic due to unchecked indexing.\u003c/li\u003e\n\u003cli\u003eIf the packfile contains an entry with an extremely large \u003ccode\u003edecompressed_size\u003c/code\u003e, the library attempts to allocate a large buffer using \u003ccode\u003eVec::with_capacity(size as usize)\u003c/code\u003e in \u003ccode\u003ebytes_to_entries.rs\u003c/code\u003e or \u003ccode\u003eVec::resize()\u003c/code\u003e in \u003ccode\u003eresolve.rs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe allocation of the excessively large buffer exhausts available memory, triggering an out-of-memory (OOM) condition.\u003c/li\u003e\n\u003cli\u003eThe operating system terminates the process to prevent further memory exhaustion.\u003c/li\u003e\n\u003cli\u003eThe application using \u003ccode\u003egix-pack\u003c/code\u003e crashes, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities leads to a denial-of-service (DoS) condition. For the panic vulnerability, a small amount of crafted data causes an immediate process abort. For the OOM vulnerability, a single crafted pack entry header causes the process to attempt a multi-terabyte allocation, leading to process termination by the operating system. This can affect various applications and systems, including the \u003ccode\u003egix\u003c/code\u003e CLI, applications using the \u003ccode\u003egix\u003c/code\u003e crate, and CI/CD systems, potentially disrupting software development workflows. The OOM vector represents a severe risk, as it is a single-packet process kill with no recovery.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003egix-pack\u003c/code\u003e when available.\u003c/li\u003e\n\u003cli\u003eImplement input validation on packfile data before processing to mitigate the OOM vulnerability. Specifically, implement a configurable maximum object size and validate claimed sizes against it before allocation, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor for process crashes or OOM events related to applications using \u003ccode\u003egix-pack\u003c/code\u003e. Deploy the Sigma rule \u003ccode\u003eDetect Gix-Pack Uncapped Memory Allocation\u003c/code\u003e to identify potential OOM attacks.\u003c/li\u003e\n\u003cli\u003eConsider blocking or filtering network traffic from untrusted Git repositories to prevent malicious packfiles from reaching vulnerable systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T19:24:15Z","date_published":"2026-05-05T19:24:15Z","id":"/briefs/2024-01-09-gix-pack-dos/","summary":"Multiple denial-of-service vulnerabilities exist in `gix-pack`; crafted delta data can cause unchecked array indexing, leading to panics, and uncapped attacker-controlled size headers enable out-of-memory process kills, triggered by malicious pack data during clone/fetch operations.","title":"gix-pack Denial-of-Service Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-09-gix-pack-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Gix-Pack (\u003c= 0.68.0)","version":"https://jsonfeed.org/version/1.1"}