DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-G27R-R6PH-VF5R: GHSA-G27R-R6PH-VF5R: Authentication Bypass via Policy Hash Truncation in sequoia-git

#security #cve #cybersecurity #ghsa

GHSA-G27R-R6PH-VF5R: Authentication Bypass via Policy Hash Truncation in sequoia-git

Vulnerability ID: GHSA-G27R-R6PH-VF5R
CVSS Score: 1.8
Published: 2026-05-04

A logic error in the caching mechanism of the sequoia-git library prior to version 0.6.0 results in the improper processing of OpenPGP hard revocations. A truncation bug during policy hash calculation creates cache collisions, allowing an attacker with a revoked key to bypass commit authentication if they can trick a maintainer into accepting a specific policy modification.

TL;DR

sequoia-git versions prior to 0.6.0 fail to properly enforce OpenPGP key revocations due to a cache collision bug triggered by a zero-byte policy hash. This allows attackers with compromised but revoked keys to sign valid commits if a maintainer merges a malicious policy update.

Technical Details

  • Vulnerability Type: Improper Verification of Cryptographic Signature
  • CWE ID: CWE-347
  • CVSS v4.0 Score: 1.8 (Low)
  • Attack Vector: Network
  • Privileges Required: High (Compromised authorized key)
  • User Interaction: Required (Maintainer merge)
  • Affected Versions: < 0.6.0
  • Exploit Status: None known

Affected Systems

  • sequoia-git library (crates.io)
  • sq-git command-line tool
  • sequoia-git: < 0.6.0 (Fixed in: 0.6.0)

Code Analysis

Commit: f9c9074

Fix hard revocation handling and correct policy hash truncation logic

Mitigation Strategies

  • Upgrade sequoia-git and sq-git to version 0.6.0.
  • Enforce strict manual review and multiple approvals for any modifications to repository policy files.
  • Implement continuous integration checks to detect unauthorized stripping of hard revocations from OpenPGP policies.

Remediation Steps:

  1. Identify all systems and build pipelines utilizing the sequoia-git library or sq-git tool.
  2. Update the dependency declarations in Cargo.toml to require sequoia-git >= 0.6.0.
  3. Recompile and redeploy the affected tooling across all environments.
  4. Audit existing Git repository histories for anomalous policy file modifications that remove key revocations.

References

Read the full report for GHSA-G27R-R6PH-VF5R on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)