The current libgit2-sys dependency (0.18.2+1.9.1) bundles libgit2 1.9.1, which has two security vulnerabilities fixed in libgit2 1.9.2 (released Dec 6, 2025):
-
SSH arbitrary command execution — Remote repository names were improperly sent to the shell without quoting when using external SSH transport, potentially allowing arbitrary command execution.
-
SSH public key buffer overflow — Public keys that are not NUL-terminated were improperly zeroed using memset with the wrong length, resulting in a buffer overflow or incomplete key zeroing.
Remediation
Update git2 to 0.20.4, which depends on libgit2-sys >=0.18.3 (libgit2 1.9.2).
References
The current
libgit2-sysdependency (0.18.2+1.9.1) bundles libgit2 1.9.1, which has two security vulnerabilities fixed in libgit2 1.9.2 (released Dec 6, 2025):SSH arbitrary command execution — Remote repository names were improperly sent to the shell without quoting when using external SSH transport, potentially allowing arbitrary command execution.
SSH public key buffer overflow — Public keys that are not NUL-terminated were improperly zeroed using
memsetwith the wrong length, resulting in a buffer overflow or incomplete key zeroing.Remediation
Update
git2to 0.20.4, which depends onlibgit2-sys>=0.18.3 (libgit2 1.9.2).References