Nix up to and including 2.22.1 mishandles certain usage of hash caches, which makes it easier for malicious users to replace current source code with attacker-controlled source code by luring a maintainer into accepting a malicious pull request.