Gitoxide

A vulnerability in gix and gitoxide allows a malicious repository to use a symlinked `.gitmodules` file pointing outside the repository, leading to the parsing of arbitrary, attacker-controlled submodule configurations and potential manipulation of downstream git operations.

Multiple denial-of-service vulnerabilities exist in `gix-pack`; crafted delta data can cause unchecked array indexing, leading to panics, and uncapped attacker-controlled size headers enable out-of-memory process kills, triggered by malicious pack data during clone/fetch operations.

A vulnerability in rust's gix-fs library (<= 0.21.0) allows a malicious actor to construct a tree that, when checked out with gitoxide, permits writing an attacker-controlled symlink into any existing directory the user has write access to, potentially leading to code execution.

A vulnerability in gitoxide's `gix_submodule::File::update()` allows arbitrary command execution via a crafted `.gitmodules` file by incorrectly validating the source of the `update` command, enabling an attacker to inject malicious commands after a submodule has been initialized.