CVE-2025-21613 — Argument Injection in Go-git Go-git V5

CWE-88 — Argument Injection10 documents7 sources

Severity

9.2CRITICALNVD

OSV7.5

EPSS

2.9%

top 13.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Go-git Go-git V5 Go-git Project Go-git Debian Golang-github-go-git-go-git +8 more

Timeline

PublishedJan 6

Latest updateMar 12

Description

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages11 packages

▶msrcmsrc/azl3_packer_1.9.5-5_on_azure_linux_3.0

▶msrcmsrc/azl3_packer_1.9.5-6_on_azure_linux_3.0

▶msrcmsrc/cbl2_packer_1.9.5-5_on_cbl_mariner_2.0

▶msrcmsrc/cbl2_packer_1.9.5-7_on_cbl_mariner_2.0

▶NVDgo-git_project/go-git< 5.13.0

🔴Vulnerability Details

OSV

golang-github-go-git-go-git vulnerabilities↗2026-03-12

▶

OSV

Argument Injection via the URL field in github.com/go-git/go-git↗2025-01-07

▶

GHSA

go-git has an Argument Injection via the URL field↗2025-01-06

▶

OSV

CVE-2025-21613: go-git is a highly extensible git implementation library written in pure Go↗2025-01-06

▶

OSV

go-git has an Argument Injection via the URL field↗2025-01-06

▶

📋Vendor Advisories

Ubuntu

go-git vulnerabilities↗2026-03-12

▶

Microsoft

go-git has an Argument Injection via the URL field↗2025-01-14

▶

Red Hat

go-git: argument injection via the URL field↗2025-01-06

▶

Debian

CVE-2025-21613: golang-github-go-git-go-git - go-git is a highly extensible git implementation library written in pure Go. An ...↗2025

▶