<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Repomix - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/repomix/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 15:21:07 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/repomix/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-59703: repomix Local File Inclusion Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-repomix-lfi/</link><pubDate>Wed, 08 Jul 2026 15:21:07 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-repomix-lfi/</guid><description>repomix contains a local file inclusion vulnerability (CVE-2026-59703) in its git clone endpoint, allowing unauthenticated attackers to read arbitrary local git repositories and server filesystem contents by bypassing validation with crafted file:// URLs.</description><content:encoded><![CDATA[<p>A critical local file inclusion vulnerability, identified as CVE-2026-59703, has been discovered in <code>repomix</code>, a tool for managing git repositories. This flaw allows unauthenticated attackers to read arbitrary local git repositories and sensitive server filesystem contents. The vulnerability stems from the <code>isValidRemoteValue</code> function in <code>src/core/git/gitRemoteParse.ts</code>, which fails to block <code>file://</code> URLs. Attackers can supply these specially crafted <code>file://</code> scheme URLs via the <code>git clone</code> endpoint, bypassing validation and causing the application to pass them directly to the underlying <code>git clone</code> command. This enables unauthorized access to tracked files on the server. The vulnerability impacts <code>repomix</code> versions prior to 1.14.1. The advisory was published on July 8, 2026, highlighting the immediate need for organizations using vulnerable <code>repomix</code> instances to upgrade or implement protective measures to prevent data exfiltration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Unauthenticated attacker identifies a public-facing <code>repomix</code> instance vulnerable to CVE-2026-59703 (versions &lt; 1.14.1).</li>
<li>The attacker crafts an HTTP POST or GET request targeting the <code>repomix</code> <code>git clone</code> endpoint, embedding a <code>file://</code> URI in the <code>remote</code> parameter, e.g., <code>/git/clone?remote=file:///etc/passwd</code>.</li>
<li>The <code>isValidRemoteValue</code> function in <code>src/core/git/gitRemoteParse.ts</code> fails to properly validate and block the <code>file://</code> scheme URL.</li>
<li><code>repomix</code> passes the attacker-supplied <code>file://</code> URI directly to the underlying <code>git clone</code> command.</li>
<li>The <code>git clone</code> command attempts to access and clone the local file path specified by the <code>file://</code> URI (e.g., <code>/etc/passwd</code>).</li>
<li>The <code>repomix</code> application returns the content of the targeted local file or directory within the HTTP response to the attacker.</li>
<li>This allows the unauthenticated attacker to read arbitrary local git repositories and other sensitive server filesystem contents, leading to data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59703 allows unauthenticated attackers to achieve local file inclusion, leading to the unauthorized disclosure of sensitive information. This includes access to arbitrary local git repositories, configuration files (e.g., <code>/etc/passwd</code>, database credentials), source code, and other proprietary data stored on the server's filesystem. While no specific victim count or targeted sectors have been disclosed, any organization using vulnerable <code>repomix</code> instances is at risk of significant data exfiltration and potential further compromise if credentials or other sensitive information are discovered through this vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59703 by upgrading <code>repomix</code> to version 1.14.1 or higher immediately.</li>
<li>Deploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-59703 by monitoring webserver logs for <code>file://</code> URLs in <code>git clone</code> requests.</li>
<li>Implement a Web Application Firewall (WAF) rule to block HTTP requests to the <code>git clone</code> endpoint containing <code>file://</code> URI schemes in request parameters, as described in the attack chain.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>local-file-inclusion</category><category>web-vulnerability</category><category>cve</category><category>repomix</category></item></channel></rss>