Insufficiently Protected Credentials Affecting gix-transport package, versions >=0.25.4 <0.56.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-GIXTRANSPORT-16425659
- published6 May 2026
- disclosed5 May 2026
- creditsammiee5311
Introduced: 5 May 2026
New CVE NOT AVAILABLE CWE-522 (opens in a new tab)How to fix?
Upgrade gix-transport to version 0.56.0 or higher.
Overview
Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the curl backend during HTTP(S) operations involving redirects. An attacker can obtain sensitive credentials by controlling a redirect target, causing the client to send authentication information to an unintended host. This can occur when a server responds with a redirect to a malicious domain, and subsequent requests automatically include the Authorization header, exposing credentials to the attacker. Additionally, a redirect from HTTPS to HTTP can result in credentials being transmitted in cleartext over an unencrypted connection.