Home

Description

repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/core/git/gitRemoteParse.ts fails to block file:// URLs, permitting attackers to supply file:// scheme URLs that bypass validation and are passed directly to git clone, enabling unauthorized access to all tracked file contents on the server filesystem.

PUBLISHED Reserved 2026-07-06 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Files or Directories Accessible to External Parties

Product status

Default status
affected

Any version before 1.14.1
affected

Any version
affected

Credits

George Chen reporter

References

github.com/yamadashy/repomix/issues/1704 issue-tracking

github.com/yamadashy/repomix product

github.com/...ommit/c748b524f41225e7fc6f89ad0084520901a453cf (Patch Commit) patch

www.vulncheck.com/...a-file-url-scheme-in-git-clone-endpoint third-party-advisory

cve.org (CVE-2026-59703)

nvd.nist.gov (CVE-2026-59703)

Download JSON