Описание
Jujutsu does not have SHA-1 collision detection
Summary
Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.
Details
This is a result of the underlying CVE-2025-31130 / GHSA-2frx-2596-x5r6 vulnerability in the gitoxide library Jujutsu uses to interact with Git repositories; see that advisory for technical details. This separate advisory is being issued due to the downstream impact on users of Jujutsu.
Impact
An attacker with the ability to mount a collision attack on SHA-1 like the SHAttered or SHA-1 is a Shambles attacks could create two distinct Git objects with the same hash. This is becoming increasingly affordable for well‐resourced attackers, with the Shambles researchers in 2020 estimating $45k for a chosen‐prefix collision or $11k for a classical collision, and projecting less than $10k for a chosen‐prefix collision by 2025. The result could be used to disguise malicious repository contents, or potentially exploit assumptions in Jujutsu’s logic to cause further vulnerabilities.
Пакеты
jj-lib
< 0.28.1
0.28.1
jj-cli
< 0.28.1
0.28.1
6.8 Medium
CVSS3
Дефекты
6.8 Medium
CVSS3