Summary:
isomorphic-git (version 1.37.1) fails to verify the trailing SHA-1 checksum of .pack files. This allows corrupted or maliciously modified packfiles to be processed without error, leading to potential data corruption or parser instability. This behavior deviates from git-native and exposes users to integrity risks similar to the vulnerability recently patched in go-git (GHSA-37cx-329c-33x3).
Reproduction Steps:
dockerfile:
isomorphic-git.zip
script file:
verify_isomorphic_git_vulnerability.sh
- Create a standard git repo.
- Manually modify the last 20 bytes (checksum) of a
.pack file.
- Run
git show HEAD using native git -> Correctly Rejected.
- Run
isomorphic-git show HEAD -> Incorrectly Accepted.
result:
https://gist.github.com/N0zoM1z0/121fe7d90c7058f0e71dc29451154b39
Impact:
- Integrity Violation: The library claims
verify OK on corrupted data.
- Robustness: Potentially vulnerable to DoS attacks via malformed packfiles that bypass the checksum guard.
- Consistency: Violates the Git format specification.
Summary:
isomorphic-git(version 1.37.1) fails to verify the trailing SHA-1 checksum of.packfiles. This allows corrupted or maliciously modified packfiles to be processed without error, leading to potential data corruption or parser instability. This behavior deviates fromgit-nativeand exposes users to integrity risks similar to the vulnerability recently patched ingo-git(GHSA-37cx-329c-33x3).Reproduction Steps:
dockerfile:
isomorphic-git.zip
script file:
verify_isomorphic_git_vulnerability.sh
.packfile.git show HEADusing native git -> Correctly Rejected.isomorphic-git show HEAD-> Incorrectly Accepted.result:
https://gist.github.com/N0zoM1z0/121fe7d90c7058f0e71dc29451154b39
Impact:
verify OKon corrupted data.