CVE-2023-49568
published 2024-01-12CVE-2023-49568: A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.70%
48.6th percentile
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-go-git-go-git | < golang-github-go-git-go-git 5.11.0-1 (forky) | golang-github-go-git-go-git 5.11.0-1 (forky) |
| github.com | go-git_go-git_v5 | >= 0 < 5.11.0 | 5.11.0 |
| github.com | go-git_go-git_v5 | >= 5.0.0 < 5.11.0 | 5.11.0 |
| go-git | go-git | — | — |
| go-git_project | go-git | >= 4.0.0 < 5.11.0 | 5.11.0 |
| gopkg.in | src-d_go-git.v4 | 4.7.1 – 4.13.1 | — |
| gopkg.in | src-d_go-git.v4 | >= 4.7.1 | — |
| msrc | azl3_packer_1.9.4-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_packer_1.9.5-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_cri-o_1.22.3-12_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_packer_1.8.7-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_packer_1.9.5-3_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
golang-github-go-git-go-git vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2023-49568 [HIGH] golang-github-go-git-go-git vulnerabilities
golang-github-go-git-go-git vulnerabilities
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with local Git repositories. (CVE-2025-21613)
OSV
Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
osv·2024-01-23
CVE-2023-49568 Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
OSV
CVE-2023-49568: A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5
osv·2024-01-12·CVSS 7.5
CVE-2023-49568 [HIGH] CVE-2023-49568: A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli.
GHSA
Maliciously crafted Git server replies can cause DoS on go-git clients
ghsa·2023-12-27
CVE-2023-49568 [HIGH] CWE-20 Maliciously crafted Git server replies can cause DoS on go-git clients
Maliciously crafted Git server replies can cause DoS on go-git clients
### Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients.
Applications using only the in-memory filesystem supported by `go-git` are not affected by this vulnerability.
This is a `go-git` implementation issue and does not affect the upstream `git` cli.
### Patches
Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability.
### Workarounds
In cases where a bump to the latest version of `go-git` is not possible, we
OSV
Maliciously crafted Git server replies can cause DoS on go-git clients
osv·2023-12-27
CVE-2023-49568 [HIGH] Maliciously crafted Git server replies can cause DoS on go-git clients
Maliciously crafted Git server replies can cause DoS on go-git clients
### Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients.
Applications using only the in-memory filesystem supported by `go-git` are not affected by this vulnerability.
This is a `go-git` implementation issue and does not affect the upstream `git` cli.
### Patches
Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability.
### Workarounds
In cases where a bump to the latest version of `go-git` is not possible, we
Ubuntu
go-git vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2025-21613 [HIGH] go-git vulnerabilities
Title: go-git vulnerabilities
Summary: Several security issues were fixed in go-git.
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with
Microsoft
Maliciously crafted Git server replies can cause DoS on go-git clients
vendor_msrc·2024-01-09·CVSS 7.5
CVE-2023-49568 [HIGH] CWE-20 Maliciously crafted Git server replies can cause DoS on go-git clients
Maliciously crafted Git server replies can cause DoS on go-git clients
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Bitdefender: Bitdefender
Customer Action Required: Yes
Remediation: CBL-Mariner Release
Red Hat
go-git: Maliciously crafted Git server replies can cause DoS on go-git clients
vendor_redhat·2023-12-24·CVSS 7.5
CVE-2023-49568 [HIGH] CWE-400 go-git: Maliciously crafted Git server replies can cause DoS on go-git clients
go-git: Maliciously crafted Git server replies can cause DoS on go-git clients
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.
A denial of service (DoS) vulnerability was found in the go library go-git. This issue may allow an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which can trigger resource exhaustion in go-gi
Debian
CVE-2023-49568: golang-github-go-git-go-git - A denial of service (DoS) vulnerability was discovered in go-git versions prior ...
vendor_debian·2023·CVSS 7.5
CVE-2023-49568 [HIGH] CVE-2023-49568: golang-github-go-git-go-git - A denial of service (DoS) vulnerability was discovered in go-git versions prior ...
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli.
Scope: local
bookworm: open
forky: resolved (fixed in 5.11.0-1)
sid: resolved (fixed in 5.11.0-1)
trixie: resolved (fixed in 5.11.0-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-01-12
Published