CVE-2023-49569
published 2024-01-12CVE-2023-49569: A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.52%
71.5th percentile
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.
Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-go-git-go-git | < golang-github-go-git-go-git 5.11.0-1 (forky) | golang-github-go-git-go-git 5.11.0-1 (forky) |
| github.com | go-git_go-git_v5 | >= 5.0.0 < 5.11.0 | 5.11.0 |
| go-git | go-git | — | — |
| go-git_project | go-git | >= 4.0.0 < 5.11.0 | 5.11.0 |
| gopkg.in | src-d_go-git.v4 | 4.0.0 – 4.13.1 | — |
| gopkg.in | src-d_go-git.v4 | >= 4.7.1 | — |
| msrc | azl3_packer_1.9.4-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_packer_1.9.5-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_cri-o_1.22.3-12_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_packer_1.8.7-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_packer_1.9.5-3_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered when applications use ChrootOS (the default filesystem for 'Plain' variants of Open and Clone functions such as PlainClone) in go-git versions prior to v5.11; detect use of these APIs in code or dependency manifests ↗
- →Applications using BoundOS or in-memory filesystems are NOT affected; use of BoundOS can be used as a detection/mitigation signal to confirm non-exposure ↗
- →The vulnerability is exploitable via maliciously crafted Git server replies; monitor go-git client connections to untrusted/external Git servers as a risk indicator ↗
- →Scan software bill of materials (SBOM) and Go module dependency files (go.mod/go.sum) for github.com/go-git/go-git/v5 versions prior to v5.11 to identify vulnerable deployments ↗
- ·Only go-git deployments using ChrootOS (the default for PlainOpen, PlainClone, etc.) are vulnerable; BoundOS and in-memory filesystem users are not affected ↗
- ·This is a go-git (Go library) implementation issue only; the upstream git CLI is not affected ↗
- ·In OpenShift Container Platform, the vulnerable package is used as a dependency in many components where the vulnerable function is not used, reducing impact to Low ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
go-git vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2025-21613 [HIGH] go-git vulnerabilities
Title: go-git vulnerabilities
Summary: Several security issues were fixed in go-git.
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with
Red Hat
go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
vendor_redhat·2024-01-09·CVSS 9.8
CVE-2023-49569 [CRITICAL] CWE-22 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.
Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.
A path traversal
Microsoft
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
vendor_msrc·2024-01-09·CVSS 9.8
CVE-2023-49569 [CRITICAL] CWE-22 Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Bitdefender: Bitdefender
Customer Action Required: Yes
Remediation
Debian
CVE-2023-49569: golang-github-go-git-go-git - A path traversal vulnerability was discovered in go-git versions prior to v5.11....
vendor_debian·2023·CVSS 9.8
CVE-2023-49569 [CRITICAL] CVE-2023-49569: golang-github-go-git-go-git - A path traversal vulnerability was discovered in go-git versions prior to v5.11....
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.
Scope: local
bookworm: open
forky: resolved (fixed in 5.11.0-1)
sid: resolved (fixed in 5.11.0-1)
trixie: resolved (fi
OSV
golang-github-go-git-go-git vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2023-49568 [HIGH] golang-github-go-git-go-git vulnerabilities
golang-github-go-git-go-git vulnerabilities
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with local Git repositories. (CVE-2025-21613)
OSV
Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
osv·2024-01-23
CVE-2023-49569 Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
OSV
CVE-2023-49569: A path traversal vulnerability was discovered in go-git versions prior to v5
osv·2024-01-12·CVSS 9.8
CVE-2023-49569 [CRITICAL] CVE-2023-49569: A path traversal vulnerability was discovered in go-git versions prior to v5
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.
GHSA
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
ghsa·2024-01-10
CVE-2023-49569 [CRITICAL] CWE-22 Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
### Impact
A path traversal vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.
Applications are only affected if they are using the [ChrootOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS), which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using [BoundOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS) or in-memory filesystems are not affected by this issue.
This is a `go-git` implementation issue and does not affect the upstream `git` cli.
#
OSV
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
osv·2024-01-10
CVE-2023-49569 [CRITICAL] Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
### Impact
A path traversal vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.
Applications are only affected if they are using the [ChrootOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS), which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using [BoundOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS) or in-memory filesystems are not affected by this issue.
This is a `go-git` implementation issue and does not affect the upstream `git` cli.
#
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-01-12
Published