{"id":"JLSEC-2025-3","summary":"Lack of validation for user-provided fields in GitForge.jl","details":"### Description\n\nThere is a lack of input validation for user-provided values in certain functions.\n\nIn the `GitForge.get_repo()` function for GitHub, the user can provide any string for the `owner` and `repo fields`. These inputs are not validated or safely encoded and are sent directly to the server.\n\n### Impact\n\nThis means a user can add path traversal patterns like `../` in the input to access any other endpoints on `api.github.com` that were not intended.\n\n### Patches\n\nUsers should upgrade immediately to v0.4.3. All prior versions are vulnerable.\n\n### Workarounds\n\nNone\n\n### References\n\nFixed by: https://github.com/JuliaWeb/GitForge.jl/pull/50 (which is available in v0.4.3).\n\n### Credits\n\nThanks to *splitline* from the DEVCORE Research Team for reporting this issue.","aliases":["CVE-2025-50178","GHSA-g2xx-229f-3qjm"],"modified":"2025-11-06T22:57:35.007046Z","published":"2025-10-08T17:41:37.190Z","database_specific":{"license":"CC-BY-4.0","sources":[{"imported":"2025-10-07T02:52:16.795Z","published":"2025-06-24T23:01:20Z","url":"https://api.github.com/repos/JuliaWeb/GitForge.jl/security-advisories/GHSA-g2xx-229f-3qjm","id":"GHSA-g2xx-229f-3qjm","modified":"2025-06-24T23:01:20Z","html_url":"https://github.com/JuliaWeb/GitForge.jl/security/advisories/GHSA-g2xx-229f-3qjm"}]},"affected":[{"package":{"name":"GitForge","ecosystem":"Julia","purl":"pkg:julia/GitForge?uuid=8f6bce27-0656-5410-875b-07a5572985df"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.4.3"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-3.json"}}],"schema_version":"1.7.3"}