ANT-2026-6SNS6KMP · GitoxideLabs/gitoxide

rce high

GHSA-f26g-jm89-4g65

Severity Claude high · Security research firm - · Maintainer high

Discovered by Claude Mythos Preview

REPORT

The report below was sent to the maintainer and sealed at approval.

ANT-2026-6SNS6KMP: RCE when updating a Git submodule of a malicious repository

Updating a Git submodule from a malicious repository leads to remote code execution.

Target

Project: GitoxideLabs/gitoxide
Discovery: static analysis — not yet dynamically reproduced

Technical Details

Step [A] reads submodule.<name>.update newest-to-oldest across sections, so if the trusted override section has no update key the attacker's .gitmodules value is returned. Step [B] then disarms the guard because .any(|s| s.header().subsection_name() == Some(name) && !std::ptr::eq(s.meta(), ours)) only checks that a foreign-metadata section exists for that name, not that it supplied the value read in [A]. The two checks ask different questions, and the mismatch lets a .gitmodules-sourced !command pass as trusted.

Reproduction

This finding was identified by static analysis and has not yet been dynamically reproduced. The Technical Details section above describes the code path; a trigger input is not included.

[No reproducer or sanitizer output attached — request from cvd@anthropic.com if needed.]

Acknowledgement

This vulnerability was discovered by Claude, Anthropic's AI assistant, and triaged by the Anthropic security team in collaboration with Anthropic Research. Please direct questions to security-cvd@anthropic.com and reference ANT-2026-6SNS6KMP.

Reference: ANT-2026-6SNS6KMP
Anthropic CVD Policy: https://anthropic.com/security/cvd-policy

UPSTREAM FIX

https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f26g-jm89-4g65

TIMELINE

Dates from discovery through public reveal.

  1. 2026-03-29 Reported to tracker
  2. 2026-05-05 Patch released
  3. 2026-05-08 Sent to maintainer
  4. 2026-05-08 Maintainer acknowledged
  5. 2026-05-20 Publicly revealed
PROVENANCE

SHA-3-512 hash:

bc1d508742c8b9b677d57b6feae069ec5a97a697eba86a13021c648a8457d27998aac7f9245b25e244e4ae804163175bd310e4302c522abf267f76e64a845221

Committed 2026-05-08 09:37 PT

Revealed 2026-05-20 00:40 PT

Verify (download preimage.json)

Show preimage JSON 
{
  "ant_id": "ANT-2026-6SNS6KMP",
  "bug_class": "Remote Code Execution",
  "claude_severity": "high",
  "commit_sha": null,
  "created_at": "2026-03-29T20:43:51+00:00",
  "description": "Updating a Git submodule from a malicious repository leads to remote code execution.",
  "discovered_at": "2026-03-10T00:00:00+00:00",
  "location": null,
  "poc_sha256": null,
  "preimage_version": 1,
  "project": "GitoxideLabs/gitoxide",
  "reproduction": null,
  "technical_details": "Step [A] reads `submodule.<name>.update` newest-to-oldest across sections, so if the trusted override section has no `update` key the attacker's .gitmodules value is returned. Step [B] then disarms the guard because `.any(|s| s.header().subsection_name() == Some(name) && !std::ptr::eq(s.meta(), ours))` only checks that a foreign-metadata section exists for that name, not that it supplied the value read in [A]. The two checks ask different questions, and the mismatch lets a .gitmodules-sourced `!command` pass as trusted.",
  "title": "RCE when updating a Git submodule of a malicious repository",
  "vendor_severity": null
}