CVE-2025-21613
published 2025-01-06CVE-2025-21613: go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.24%
65.4th percentile
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-go-git-go-git | < golang-github-go-git-go-git 5.13.2-1 (forky) | golang-github-go-git-go-git 5.13.2-1 (forky) |
| github.com | go-git_go-git_v4 | >= 4.0.0 | — |
| github.com | go-git_go-git_v5 | >= 0 < 5.13.0 | 5.13.0 |
| go-git | go-git | — | — |
| go-git_project | go-git | < 5.13.0 | 5.13.0 |
| gopkg.in | src-d_go-git.v4 | 4.0.0 – 4.13.1 | — |
| gopkg.in | src-d_go-git.v4 | >= 4.0.0 | — |
| msrc | azl3_packer_1.9.5-5_on_azure_linux_3.0 | — | — |
| msrc | azl3_packer_1.9.5-6_on_azure_linux_3.0 | — | — |
| msrc | cbl2_cri-o_1.22.3-12_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_packer_1.9.5-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_packer_1.9.5-7_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Argument injection occurs exclusively when the file transport protocol is used in go-git, as it is the only protocol that shells out to git binaries — monitor for unexpected git-upload-pack invocations with anomalous flag values originating from go-git-based applications ↗
- →Detect argument injection attempts by monitoring the URL field passed to go-git for values that include flag-like strings (e.g., leading dashes) that could be forwarded as git-upload-pack arguments ↗
- →Flag any go-git process spawning git-upload-pack with unexpected or injected flag arguments — this is the direct exploitation path for CVE-2025-21613 ↗
- ·Vulnerability only affects go-git deployments using the file transport protocol; SSH and HTTP/HTTPS transport protocols are not affected ↗
- ·If upgrading is not immediately possible, enforce validation rules on values passed in the URL field as a temporary mitigation ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
osv9.2CRITICAL
vendor_debian9.2CRITICAL
vendor_redhat9.2CRITICAL
vendor_msrc8.1HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
go-git vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2025-21613 [HIGH] go-git vulnerabilities
Title: go-git vulnerabilities
Summary: Several security issues were fixed in go-git.
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with
Microsoft
go-git has an Argument Injection via the URL field
vendor_msrc·2025-01-14·CVSS 8.1
CVE-2025-21613 [CRITICAL] CWE-88 go-git has an Argument Injection via the URL field
go-git has an Argument Injection via the URL field
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://lear
Red Hat
go-git: argument injection via the URL field
vendor_redhat·2025-01-06·CVSS 9.2
CVE-2025-21613 [CRITICAL] CWE-88 go-git: argument injection via the URL field
go-git: argument injection via the URL field
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
An argument injection vulnerability was found in go-git. This flaw allows an attacker to set arbitrary values to git-upload-pack flags, leading to command or code execution, exposure of sensitive data, or other unintended behavior. This is only possible in configurations where the file transport protoc
Debian
CVE-2025-21613: golang-github-go-git-go-git - go-git is a highly extensible git implementation library written in pure Go. An ...
vendor_debian·2025·CVSS 9.2
CVE-2025-21613 [CRITICAL] CVE-2025-21613: golang-github-go-git-go-git - go-git is a highly extensible git implementation library written in pure Go. An ...
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
Scope: local
bookworm: open
forky: resolved (fixed in 5.13.2-1)
sid: resolved (fixed in 5.13.2-1)
trixie: resolved (fixed in 5.13.2-1)
OSV
golang-github-go-git-go-git vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2023-49568 [HIGH] golang-github-go-git-go-git vulnerabilities
golang-github-go-git-go-git vulnerabilities
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with local Git repositories. (CVE-2025-21613)
OSV
Argument Injection via the URL field in github.com/go-git/go-git
osv·2025-01-07
CVE-2025-21613 Argument Injection via the URL field in github.com/go-git/go-git
Argument Injection via the URL field in github.com/go-git/go-git
Argument Injection via the URL field in github.com/go-git/go-git
GHSA
go-git has an Argument Injection via the URL field
ghsa·2025-01-06
CVE-2025-21613 [CRITICAL] CWE-88 go-git has an Argument Injection via the URL field
go-git has an Argument Injection via the URL field
### Impact
An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries.
### Affected versions
Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.
### Workarounds
In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.
## Credit
OSV
CVE-2025-21613: go-git is a highly extensible git implementation library written in pure Go
osv·2025-01-06·CVSS 9.2
CVE-2025-21613 [CRITICAL] CVE-2025-21613: go-git is a highly extensible git implementation library written in pure Go
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
OSV
go-git has an Argument Injection via the URL field
osv·2025-01-06
CVE-2025-21613 [CRITICAL] go-git has an Argument Injection via the URL field
go-git has an Argument Injection via the URL field
### Impact
An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries.
### Affected versions
Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.
### Workarounds
In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.
## Credit
No detection rules found.
No public exploits indexed.
2025-01-06
Published